Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e7f979e8 authored by Yeshwanth Sriram Guntuka's avatar Yeshwanth Sriram Guntuka Committed by Gerrit - the friendly Code Review server
Browse files

qcacmn: Fix possible OOB access for tx_hw_desc_history 

Memory allocated for tx_hw_desc_history uses incorrect
size parameter resulting in much lower memory to get
assigned. This will result in OOB access and corruptions
in memory, regions post the trailing boundary when updating
tx hw desc events via dp_tx_hw_desc_update_evt.

Fix is to use the appropriate memory size for tx_hw_desc_history
and add NULL check in dp_tx_hw_desc_update_evt.

Change-Id: I97af7898cf8bf1b24978d559f84a2a3d00227ed8
CRs-Fixed: 2952859
parent 6564a124

dp/wifi3.0/dp_main.c

+1 −1
Original line number Diff line number Diff line
@@ -4169,7 +4169,7 @@ static void dp_soc_tx_hw_desc_history_attach(struct dp_soc *soc) 
{

	soc->tx_hw_desc_history = dp_context_alloc_mem(

			soc, DP_TX_HW_DESC_HIST_TYPE,

			sizeof(struct dp_tx_hw_desc_evt));

			sizeof(*soc->tx_hw_desc_history));

	if (soc->tx_hw_desc_history)

		soc->tx_hw_desc_history->index = 0;

}

dp/wifi3.0/dp_tx.c

+3 −0
Original line number Diff line number Diff line
@@ -1540,6 +1540,9 @@ dp_tx_hw_desc_update_evt(uint8_t *hal_tx_desc_cached, 
	struct dp_tx_hw_desc_evt *evt;

	uint64_t idx = 0;



	if (!soc->tx_hw_desc_history)

		return;



	idx = ++soc->tx_hw_desc_history->index;

	if (idx == DP_TX_HW_DESC_HIST_MAX)

		soc->tx_hw_desc_history->index = 0;