commit 43a2c7f0199029f49c382c65088ffe1c9a78fa3a
author Eva Huang <evahuang@google.com> Wed Nov 24 16:10:30 2021 +0800
committer Eva Huang <evahuang@google.com> Wed Nov 24 16:10:30 2021 +0800
tree be14db0e911577d36c96d4b90762ba7a59e7e3e9
parent 514f61185878d22a8f28eb3eb159a46235b1684c
parent 1e1238e1249e2ed611c7acc6d36617667b57d98f

Merge branch 'android-msm-barbet-4.19-sc-security' into android-msm-barbet-4.19-sc-qpr1

Jan 2022.1

Bug: 204278602
Change-Id: I3dad163c435883d099cdff4810b0ed2074fe7859

target_if/wifi_pos/src/target_if_wifi_pos.c

diff --git a/target_if/wifi_pos/src/target_if_wifi_pos.c b/target_if/wifi_pos/src/target_if_wifi_pos.c
index 42f5ead..b8f90a3 100644
--- a/target_if/wifi_pos/src/target_if_wifi_pos.c
+++ b/target_if/wifi_pos/src/target_if_wifi_pos.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2019 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2013-2019, 2021 The Linux Foundation. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -90,6 +90,7 @@
 	void *paddr = NULL;
 	uint32_t addr_hi;
 	uint8_t ring_idx = 0, num_rings;
+	uint32_t allocated_len;
 
 	if (!indirect) {
 		target_if_debug("no indirect data. regular event received");
@@ -102,6 +103,16 @@
 		target_if_err("incorrect pdev_id: %d", indirect->pdev_id);
 		return QDF_STATUS_E_INVAL;
 	}
+
+	allocated_len = priv_obj->dma_cap[ring_idx].min_buf_size +
+				(priv_obj->dma_cap[ring_idx].min_buf_align - 1);
+	if (indirect->len > allocated_len ||
+	    indirect->len > OEM_DATA_DMA_BUFF_SIZE) {
+		target_if_err("Invalid indirect len: %d, allocated_len:%d",
+			      indirect->len, allocated_len);
+		return QDF_STATUS_E_INVAL;
+	}
+
 	addr_hi = (uint64_t)WMI_OEM_DMA_DATA_ADDR_HI_GET(
 						indirect->addr_hi);
 	paddr = (void *)((uint64_t)addr_hi << 32 | indirect->addr_lo);

umac/wifi_pos/src/wifi_pos_utils_i.h

diff --git a/umac/wifi_pos/src/wifi_pos_utils_i.h b/umac/wifi_pos/src/wifi_pos_utils_i.h
index 5ee0380..676fed1 100644
--- a/umac/wifi_pos/src/wifi_pos_utils_i.h
+++ b/umac/wifi_pos/src/wifi_pos_utils_i.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2018 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2018, 2021 The Linux Foundation. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -66,6 +66,8 @@
 
 #ifndef OEM_DATA_RSP_SIZE
 #define OEM_DATA_RSP_SIZE 1724
+/* Header + VHT80 CIR * 2 chains */
+#define OEM_DATA_DMA_BUFF_SIZE (64 + 512 * 4 * 2)
 #endif
 
 /**