bcmdhd: Fixed OOB write possibility in txstatus handler

Bug: 322820391
Test: no issue is seen in MTBF
Test: AU drop test

Change-Id: I25106bc56688c3dcdb4210786e7ed7f62b2f33cb
Signed-off-by: Dennis Jeon <dennis.jeon@broadcom.corp-partner.google.com>

2 files changed, 9 insertions, 0 deletions

diff --git a/dhd_flowring.h b/dhd_flowring.h
index 8f6222f..2fdb400 100644
--- a/dhd_flowring.h
+++ b/dhd_flowring.h
@@ -133,6 +133,9 @@
 	(DHD_IF_ROLE_AP(pub, idx) || DHD_IF_ROLE_P2PGO(pub, idx) ||\
 		DHD_IF_ROLE_NAN(pub, idx))
 
+#define DHD_FLOW_RING_INV_ID(dhdp, flowid) \
+	(flowid < FLOWID_RESERVED) || (flowid > (dhdp)->max_tx_flowid)
+
 #define DHD_FLOW_RING(dhdp, flowid) \
 	(flow_ring_node_t *)&(((flow_ring_node_t *)((dhdp)->flow_ring_table))[flowid])
 
diff --git a/dhd_msgbuf.c b/dhd_msgbuf.c
index 4bc1d1a..94666e6 100644
--- a/dhd_msgbuf.c
+++ b/dhd_msgbuf.c
@@ -7914,6 +7914,12 @@ BCMFASTPATH(dhd_prot_txstatus_process)(dhd_pub_t *dhd, void *msg)
 	txstatus = (host_txbuf_cmpl_t *)msg;
 
 	flowid = txstatus->compl_hdr.flow_ring_id;
+	if (DHD_FLOW_RING_INV_ID(dhd, flowid)) {
+		DHD_ERROR(("%s: invalid flowid:%d alloc_max:%d fid_max:%d\n",
+			__FUNCTION__, flowid, dhd->num_h2d_rings, dhd->max_tx_flowid));
+		return;
+	}
+
 	flow_ring_node = DHD_FLOW_RING(dhd, flowid);
 #ifdef AGG_H2D_DB
 	flow_ring = DHD_RING_IN_FLOWRINGS_POOL(prot, flowid);