diff options
author | Hsiu-Chang Chen <hsiuchangchen@google.com> | 2022-09-26 05:31:19 -0700 |
---|---|---|
committer | Hsiu-Chang Chen <hsiuchangchen@google.com> | 2022-12-13 09:12:22 +0000 |
commit | 6204cc13f7a9e94dbbdce06c46a24bf0315be3e2 (patch) | |
tree | d0ee71e870e18ef94f4c5e3f5b88f1784bae2294 | |
parent | 811075a8eecf069db82e5a7bb8f49b64bd13d18c (diff) | |
download | qca-wfi-host-cmn-6204cc13f7a9e94dbbdce06c46a24bf0315be3e2.tar.gz |
qcacmn: Add a tid check for RX to avoid of OOB accessandroid-t-qpr3-beta-3_r0.2android-t-qpr3-beta-3.1_r0.2android-t-qpr3-beta-2_r0.2android-t-qpr3-beta-1_r0.2android-t-qpr2-beta-3_r0.2android-t-qpr2-beta-3.2_r0.3android-13.0.0_r0.81android-13.0.0_r0.72android-13.0.0_r0.67android-13.0.0_r0.62android-13.0.0_r0.122android-13.0.0_r0.111android-13.0.0_r0.102android-msm-redbull-4.19-t-qpr3-beta-3android-msm-redbull-4.19-t-qpr3-beta-2android-msm-redbull-4.19-t-qpr2-beta-3.2android-msm-redbull-4.19-android13-qpr3-beta1android-msm-redbull-4.19-android13-qpr3android-msm-redbull-4.19-android13-qpr2-betaandroid-msm-redbull-4.19-android13-qpr2
Tid in RX frame header may be larger than MAX TID allowed
value, this will lead a out of boundary array access and
lead to kernel crash at last. Change is aimed to do a TID
check and discard such frame when necessary.
Bug: 261470732
Test: Regression Test
Change-Id: I11f312668a5a42d690c058550f22b0f36f952104
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
CRs-Fixed: 3264581
-rw-r--r-- | dp/wifi3.0/dp_rx.c | 9 | ||||
-rw-r--r-- | dp/wifi3.0/dp_stats.c | 2 | ||||
-rw-r--r-- | dp/wifi3.0/dp_types.h | 2 |
3 files changed, 12 insertions, 1 deletions
diff --git a/dp/wifi3.0/dp_rx.c b/dp/wifi3.0/dp_rx.c index 13a9cc5e0..ee5a75f34 100644 --- a/dp/wifi3.0/dp_rx.c +++ b/dp/wifi3.0/dp_rx.c @@ -2054,8 +2054,15 @@ done: next = nbuf->next; rx_tlv_hdr = qdf_nbuf_data(nbuf); /* Get TID from struct cb->tid_val, save to tid */ - if (qdf_nbuf_is_rx_chfrag_start(nbuf)) + if (qdf_nbuf_is_rx_chfrag_start(nbuf)) { tid = qdf_nbuf_get_tid_val(nbuf); + if (tid >= CDP_MAX_DATA_TIDS) { + DP_STATS_INC(soc, rx.err.rx_invalid_tid_err, 1); + qdf_nbuf_free(nbuf); + nbuf = next; + continue; + } + } /* * Check if DMA completed -- msdu_done is the last bit diff --git a/dp/wifi3.0/dp_stats.c b/dp/wifi3.0/dp_stats.c index 6162e734e..db96381cb 100644 --- a/dp/wifi3.0/dp_stats.c +++ b/dp/wifi3.0/dp_stats.c @@ -5671,5 +5671,7 @@ dp_print_soc_rx_stats(struct dp_soc *soc) DP_PRINT_STATS("REO Error(0-14):%s", reo_error); DP_PRINT_STATS("REO CMD SEND FAIL: %d", soc->stats.rx.err.reo_cmd_send_fail); + DP_PRINT_STATS("Rx invalid TID count:%d", + soc->stats.rx.err.rx_invalid_tid_err); } diff --git a/dp/wifi3.0/dp_types.h b/dp/wifi3.0/dp_types.h index 363e98087..506766cdb 100644 --- a/dp/wifi3.0/dp_types.h +++ b/dp/wifi3.0/dp_types.h @@ -784,6 +784,8 @@ struct dp_soc_stats { uint32_t reo_err_oor_sg_count; /* RX msdu rejected count on delivery to vdev stack_fn*/ uint32_t rejected; + /* Rx invalid tid count */ + uint32_t rx_invalid_tid_err; } err; /* packet count per core - per ring */ |