qcacmn: Fix possible OOB in wmi_extract_dbr_buf_release_entry (ccd086c3) · Commits · e / devices / android_kernel_fairphone_FP5

target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -1845,6 +1845,11 @@ static int target_if_direct_buf_rx_rsp_event_handler(ol_scn_t scn,
		dbr_buf_pool = mod_param->dbr_buf_pool;
		dbr_rsp.dbr_entries = qdf_mem_malloc(dbr_rsp.num_buf_release_entry *
		sizeof(struct direct_buf_rx_entry));
		if (!dbr_rsp.dbr_entries) {
		direct_buf_rx_err("invalid dbr_entries");
		wlan_objmgr_pdev_release_ref(pdev, dbr_mod_id);
		return QDF_STATUS_E_FAILURE;
		}

		if (dbr_rsp.num_meta_data_entry > dbr_rsp.num_buf_release_entry) {
		direct_buf_rx_err("More than expected number of metadata");

+11 −1

Original line number	Diff line number	Diff line
		/*
		* Copyright (c) 2016-2020 The Linux Foundation. All rights reserved.
		* Copyright (c) 2016-2021 The Linux Foundation. All rights reserved.
		*
		* Permission to use, copy, modify, and/or distribute this software for
		* any purpose with or without fee is hereby granted, provided that the
		@@ -132,7 +132,17 @@ static QDF_STATUS extract_dbr_buf_release_fixed_tlv(wmi_unified_t wmi_handle,
		wmi_handle,
		ev->pdev_id);
		param->mod_id = ev->mod_id;
		if ((!param_buf->num_entries) \|\|
		param_buf->num_entries < ev->num_buf_release_entry){
		wmi_err("actual num of buf release entries less than provided entries");
		return QDF_STATUS_E_INVAL;
		}
		param->num_buf_release_entry = ev->num_buf_release_entry;
		if ((!param_buf->num_meta_data) \|\|
		param_buf->num_meta_data < ev->num_meta_data_entry) {
		wmi_err("actual num of meta data entries less than provided entries");
		return QDF_STATUS_E_INVAL;
		}
		param->num_meta_data_entry = ev->num_meta_data_entry;
		wmi_debug("pdev id %d mod id %d num buf release entry %d",
		param->pdev_id, param->mod_id, param->num_buf_release_entry);