mhi: core: Add range check for channel id received in event ring
The mhi_process_data_event_ring function reads cmd channel id from
cmd_pkt using MHI_TRE_GET_CHID, the value is under the control of MHI
devices and can be any value between 0 and 255. However the max channel
is defined in device tree file and it is usually smaller than 255. This
can cause out of bound access to the channel array. Fix this by checking
the channel id received in cmd ring against the max channel allowed on
target.
Change-Id: Iae4282ebba2976a26c6e33477cc8dd93929c2f63
Signed-off-by: Hemant Kumar <hemantk@codeaurora.org>
diff --git a/drivers/bus/mhi/core/mhi_main.c b/drivers/bus/mhi/core/mhi_main.c
index 66cb2a9..1b81eb8 100644
--- a/drivers/bus/mhi/core/mhi_main.c
+++ b/drivers/bus/mhi/core/mhi_main.c
@@ -1285,6 +1285,10 @@ int mhi_process_data_event_ring(struct mhi_controller *mhi_cntrl,
local_rp->ptr, local_rp->dword[0], local_rp->dword[1]);
chan = MHI_TRE_GET_EV_CHID(local_rp);
+ if (chan >= mhi_cntrl->max_chan) {
+ MHI_ERR("invalid channel id %u\n", chan);
+ continue;
+ }
mhi_chan = &mhi_cntrl->mhi_chan[chan];
if (likely(type == MHI_PKT_TYPE_TX_EVENT)) {