Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ca619a8e authored by Pragaspathi Thilagaraj's avatar Pragaspathi Thilagaraj Committed by nshrivas
Browse files

qcacmn: Fix possible OOB in target_if_direct_buf_rx_rsp_event_handler 

The function target_if_direct_buf_rx_rsp_event_handler() handles
the WMI_PDEV_DMA_RING_BUF_RELEASE_EVENTID event from target.
This function calls extract_dbr_buf_release_fixed_tlv() to copy
the module id, pdev id number of buffer release entry and number
of meta data release entries. The value of module id is used to
index the array dbr_mod_param to get the value of mod_param.
So if the module id value greater than dbr_pdev_obj->num_modules
could result in possible OOB.

Validate mod_id received in the fixed param of the event
WMI_PDEV_DMA_RING_BUF_RELEASE_EVENTID against
dbr_pdev_obj->num_modules.

Change-Id: I1c2c0a2a9c98d8b787496aba7a7c4f8fd781de16
CRs-Fixed: 2428798
parent 68674b58
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment