qcacmn: Check cookie and avoid to read out of bound
Read out of bound due to invalid cookie and cause device broken. This
change checks cookie before using it as index of DBR buffer pool.
Change-Id: I1abc7d771cc62a7dd2dfe98784bf8ef2710f26ca
CRs-Fixed: 3144133
diff --git a/drivers/staging/qca-wifi-host-cmn/target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c b/drivers/staging/qca-wifi-host-cmn/target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c
index 36cfeb9..359a165 100644
--- a/drivers/staging/qca-wifi-host-cmn/target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c
+++ b/drivers/staging/qca-wifi-host-cmn/target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c
@@ -318,6 +318,11 @@ static QDF_STATUS target_if_dbr_replenish_ring(struct wlan_objmgr_pdev *pdev,
return QDF_STATUS_E_FAILURE;
}
+ if (cookie >= mod_param->dbr_ring_cfg->num_ptr) {
+ direct_buf_rx_err("invalid cookie %d", cookie);
+ return QDF_STATUS_E_INVAL;
+ }
+
dbr_psoc_obj = wlan_objmgr_psoc_get_comp_private_obj(psoc,
WLAN_TARGET_IF_COMP_DIRECT_BUF_RX);
@@ -720,6 +725,11 @@ static void *target_if_dbr_vaddr_lookup(
dbr_buf_pool = mod_param->dbr_buf_pool;
+ if (cookie >= mod_param->dbr_ring_cfg->num_ptr) {
+ direct_buf_rx_err("invalid cookie %d", cookie);
+ return NULL;
+ }
+
if (dbr_buf_pool[cookie].paddr == paddr) {
return dbr_buf_pool[cookie].vaddr +
dbr_buf_pool[cookie].offset;