bcmdhd: Fixed possible OOB write in msgbuf handler
Bug: 350472698
Test: SVT test cycle
Change-Id: I1ecaf13a21c713316fbf081bf2c5680e52e55a36
Signed-off-by: Dennis Jeon <dennis.jeon@broadcom.corp-partner.google.com>
(cherry picked from commit 4082240c36f824268668668041f46c8b98940f70)
diff --git a/dhd_pcie.c b/dhd_pcie.c
index c6ab7be..5f19f4e 100644
--- a/dhd_pcie.c
+++ b/dhd_pcie.c
@@ -18019,10 +18019,10 @@
DHD_INFO(("%s :Flow Response %d \n", __FUNCTION__, flowid));
/* Boundary check of the flowid */
- if (flowid > bus->dhd->max_tx_flowid) {
- DHD_ERROR(("%s: flowid is invalid %d, max id %d\n", __FUNCTION__,
- flowid, bus->dhd->max_tx_flowid));
- return;
+ if (DHD_FLOW_RING_INV_ID(bus->dhd, flowid)) {
+ DHD_ERROR(("%s: invalid flowid:%d alloc_max:%d fid_max:%d\n",
+ __FUNCTION__, flowid, bus->dhd->num_h2d_rings,
+ bus->dhd->max_tx_flowid));
}
flow_ring_node = DHD_FLOW_RING(bus->dhd, flowid);
@@ -18126,10 +18126,10 @@
DHD_INFO(("%s :Flow Delete Response %d \n", __FUNCTION__, flowid));
/* Boundary check of the flowid */
- if (flowid > bus->dhd->max_tx_flowid) {
- DHD_ERROR(("%s: flowid is invalid %d, max id %d\n", __FUNCTION__,
- flowid, bus->dhd->max_tx_flowid));
- return;
+ if (DHD_FLOW_RING_INV_ID(bus->dhd, flowid)) {
+ DHD_ERROR(("%s: invalid flowid:%d alloc_max:%d fid_max:%d\n",
+ __FUNCTION__, flowid, bus->dhd->num_h2d_rings,
+ bus->dhd->max_tx_flowid));
}
flow_ring_node = DHD_FLOW_RING(bus->dhd, flowid);
@@ -18209,10 +18209,10 @@
}
/* Boundary check of the flowid */
- if (flowid > bus->dhd->max_tx_flowid) {
- DHD_ERROR(("%s: flowid is invalid %d, max id %d\n", __FUNCTION__,
- flowid, bus->dhd->max_tx_flowid));
- return;
+ if (DHD_FLOW_RING_INV_ID(bus->dhd, flowid)) {
+ DHD_ERROR(("%s: invalid flowid:%d alloc_max:%d fid_max:%d\n",
+ __FUNCTION__, flowid, bus->dhd->num_h2d_rings,
+ bus->dhd->max_tx_flowid));
}
flow_ring_node = DHD_FLOW_RING(bus->dhd, flowid);