Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 02ef13a3 authored by Harprit Chhabada's avatar Harprit Chhabada Committed by nshrivas
Browse files

qcacmn: Add bound check 

Add bound check for desc_id in tgt_mgmt_txrx_get_vdev_id_from_desc_id
and tgt_mgmt_txrx_get_nbuf_from_desc_id

Change-Id: Ie27c473061fb68f1d3486cbfe95c015be77203f9
CRs-Fixed: 2304610
parent b0ae41c9

umac/cmn_services/mgmt_txrx/core/src/wlan_mgmt_txrx_main.c

+8 −14
Original line number Diff line number Diff line
@@ -26,22 +26,16 @@ 
#include "qdf_nbuf.h"



QDF_STATUS wlan_mgmt_txrx_desc_pool_init(

			struct mgmt_txrx_priv_pdev_context *mgmt_txrx_pdev_ctx,

			uint32_t pool_size)

			struct mgmt_txrx_priv_pdev_context *mgmt_txrx_pdev_ctx)

{

	uint32_t i;



	if (!pool_size) {

		mgmt_txrx_err("Invalid pool size %u given", pool_size);

		qdf_assert_always(pool_size);

		return QDF_STATUS_E_INVAL;

	}



	mgmt_txrx_info(

			"mgmt_txrx ctx: %pK pdev: %pK"

			"initialize mgmt desc pool of size %d",

			mgmt_txrx_pdev_ctx, mgmt_txrx_pdev_ctx->pdev, pool_size);

	mgmt_txrx_pdev_ctx->mgmt_desc_pool.pool = qdf_mem_malloc(pool_size *

			"mgmt_txrx ctx: %pK pdev: %pK mgmt desc pool size %d",

			mgmt_txrx_pdev_ctx, mgmt_txrx_pdev_ctx->pdev,

			MGMT_DESC_POOL_MAX);

	mgmt_txrx_pdev_ctx->mgmt_desc_pool.pool = qdf_mem_malloc(

			MGMT_DESC_POOL_MAX *

			sizeof(struct mgmt_txrx_desc_elem_t));



	if (!mgmt_txrx_pdev_ctx->mgmt_desc_pool.pool) {
@@ -49,9 +43,9 @@ QDF_STATUS wlan_mgmt_txrx_desc_pool_init( 
		return QDF_STATUS_E_NOMEM;

	}

	qdf_list_create(&mgmt_txrx_pdev_ctx->mgmt_desc_pool.free_list,

					pool_size);

					MGMT_DESC_POOL_MAX);



	for (i = 0; i < pool_size; i++) {

	for (i = 0; i < MGMT_DESC_POOL_MAX; i++) {

		mgmt_txrx_pdev_ctx->mgmt_desc_pool.pool[i].desc_id = i;

		mgmt_txrx_pdev_ctx->mgmt_desc_pool.pool[i].in_use = false;

		qdf_list_insert_front(

umac/cmn_services/mgmt_txrx/core/src/wlan_mgmt_txrx_main_i.h

+1 −3
Original line number Diff line number Diff line
@@ -199,15 +199,13 @@ struct mgmt_txrx_priv_pdev_context { 
/**

 * wlan_mgmt_txrx_desc_pool_init() - initializes mgmt. desc. pool

 * @mgmt_txrx_pdev_ctx: mgmt txrx pdev context

 * @pool_size: desc. pool size

 *

 * This function initializes the mgmt descriptor pool.

 *

 * Return: QDF_STATUS_SUCCESS - in case of success

 */

QDF_STATUS wlan_mgmt_txrx_desc_pool_init(

			struct mgmt_txrx_priv_pdev_context *mgmt_txrx_pdev_ctx,

			uint32_t pool_size);

			struct mgmt_txrx_priv_pdev_context *mgmt_txrx_pdev_ctx);



/**

 * wlan_mgmt_txrx_desc_pool_deinit() - deinitializes mgmt. desc. pool

umac/cmn_services/mgmt_txrx/dispatcher/src/wlan_mgmt_txrx_tgt_api.c

+9 −0
Original line number Diff line number Diff line
@@ -1092,6 +1092,11 @@ qdf_nbuf_t tgt_mgmt_txrx_get_nbuf_from_desc_id( 
		mgmt_txrx_err("Mgmt txrx context empty for pdev %pK", pdev);

		goto fail;

	}

	if (desc_id >= MGMT_DESC_POOL_MAX) {

		mgmt_txrx_err("desc_id:%u is out of bounds", desc_id);

		goto fail;

	}



	mgmt_desc = &mgmt_txrx_pdev_ctx->mgmt_desc_pool.pool[desc_id];

	if (!mgmt_desc) {

		mgmt_txrx_err("Mgmt descriptor unavailable for id %d pdev %pK",
@@ -1151,6 +1156,10 @@ uint8_t tgt_mgmt_txrx_get_vdev_id_from_desc_id( 
		mgmt_txrx_err("Mgmt txrx context empty for pdev %pK", pdev);

		goto fail;

	}

	if (desc_id >= MGMT_DESC_POOL_MAX) {

		mgmt_txrx_err("desc_id:%u is out of bounds", desc_id);

		goto fail;

	}



	mgmt_desc = &mgmt_txrx_pdev_ctx->mgmt_desc_pool.pool[desc_id];

	if (!mgmt_desc) {

umac/cmn_services/mgmt_txrx/dispatcher/src/wlan_mgmt_txrx_utils_api.c

+1 −2
Original line number Diff line number Diff line
@@ -169,8 +169,7 @@ static QDF_STATUS wlan_mgmt_txrx_pdev_obj_create_notification( 


	mgmt_txrx_pdev_ctx->pdev = pdev;



	status = wlan_mgmt_txrx_desc_pool_init(mgmt_txrx_pdev_ctx,

					       MGMT_DESC_POOL_MAX);

	status = wlan_mgmt_txrx_desc_pool_init(mgmt_txrx_pdev_ctx);

	if (status != QDF_STATUS_SUCCESS) {

		mgmt_txrx_err(

			"Failed to initialize mgmt desc. pool with status: %u",