From 0a0f562c0cba4d43f95301c6ec906b79ec45e043 Mon Sep 17 00:00:00 2001 From: chunquan Date: Fri, 7 Jan 2022 15:43:31 +0800 Subject: [PATCH] qcacld-3.0: Fix out-of-bounds in tx_stats The tx_stats array length num_entries can't be more than param_buf->num_tx_stats from fw. Otherwies out-of-bounds will happen when read wmi_tx_stats. Change-Id: I7ab3c7cc7baef6d903ba6301622bd67efe52cebe CRs-Fixed: 3104318 --- drivers/staging/qcacld-3.0/core/wma/src/wma_utils.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/drivers/staging/qcacld-3.0/core/wma/src/wma_utils.c b/drivers/staging/qcacld-3.0/core/wma/src/wma_utils.c index d8fe9058a116..9348d585f0f4 100644 --- a/drivers/staging/qcacld-3.0/core/wma/src/wma_utils.c +++ b/drivers/staging/qcacld-3.0/core/wma/src/wma_utils.c @@ -1123,9 +1123,9 @@ wma_fill_tx_stats(struct sir_wifi_ll_ext_stats *ll_stats, struct sir_wifi_tx *tx_stats; struct sir_wifi_ll_ext_peer_stats *peer_stats; uint32_t *tx_mpdu_aggr, *tx_succ_mcs, *tx_fail_mcs, *tx_delay; - uint32_t len, dst_len, param_len, tx_mpdu_aggr_array_len, - tx_succ_mcs_array_len, tx_fail_mcs_array_len, - tx_delay_array_len; + uint32_t len, dst_len, param_len, num_entries, + tx_mpdu_aggr_array_len, tx_succ_mcs_array_len, + tx_fail_mcs_array_len, tx_delay_array_len; result = *buf; dst_len = *buf_length; @@ -1204,6 +1204,12 @@ wma_fill_tx_stats(struct sir_wifi_ll_ext_stats *ll_stats, return QDF_STATUS_E_FAILURE; } + num_entries = fix_param->num_peer_ac_tx_stats * WLAN_MAX_AC; + if (num_entries > param_buf->num_tx_stats) { + wma_err("tx stats invalid arg, %d", num_entries); + return QDF_STATUS_E_FAILURE; + } + for (i = 0; i < fix_param->num_peer_ac_tx_stats; i++) { uint32_t peer_id = wmi_peer_tx[i].peer_id; struct sir_wifi_tx *ac;