Merge branch 'android-msm-barbet-4.19-sc-security' into android-msm-barbet-4.19-sc-qpr1
Jan 2022.1
Bug: 204278602
Change-Id: I3dad163c435883d099cdff4810b0ed2074fe7859
diff --git a/target_if/wifi_pos/src/target_if_wifi_pos.c b/target_if/wifi_pos/src/target_if_wifi_pos.c
index 42f5ead..b8f90a3 100644
--- a/target_if/wifi_pos/src/target_if_wifi_pos.c
+++ b/target_if/wifi_pos/src/target_if_wifi_pos.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2013-2019 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2013-2019, 2021 The Linux Foundation. All rights reserved.
*
* Permission to use, copy, modify, and/or distribute this software for
* any purpose with or without fee is hereby granted, provided that the
@@ -90,6 +90,7 @@
void *paddr = NULL;
uint32_t addr_hi;
uint8_t ring_idx = 0, num_rings;
+ uint32_t allocated_len;
if (!indirect) {
target_if_debug("no indirect data. regular event received");
@@ -102,6 +103,16 @@
target_if_err("incorrect pdev_id: %d", indirect->pdev_id);
return QDF_STATUS_E_INVAL;
}
+
+ allocated_len = priv_obj->dma_cap[ring_idx].min_buf_size +
+ (priv_obj->dma_cap[ring_idx].min_buf_align - 1);
+ if (indirect->len > allocated_len ||
+ indirect->len > OEM_DATA_DMA_BUFF_SIZE) {
+ target_if_err("Invalid indirect len: %d, allocated_len:%d",
+ indirect->len, allocated_len);
+ return QDF_STATUS_E_INVAL;
+ }
+
addr_hi = (uint64_t)WMI_OEM_DMA_DATA_ADDR_HI_GET(
indirect->addr_hi);
paddr = (void *)((uint64_t)addr_hi << 32 | indirect->addr_lo);
diff --git a/umac/wifi_pos/src/wifi_pos_utils_i.h b/umac/wifi_pos/src/wifi_pos_utils_i.h
index 5ee0380..676fed1 100644
--- a/umac/wifi_pos/src/wifi_pos_utils_i.h
+++ b/umac/wifi_pos/src/wifi_pos_utils_i.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2012-2018 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2018, 2021 The Linux Foundation. All rights reserved.
*
* Permission to use, copy, modify, and/or distribute this software for
* any purpose with or without fee is hereby granted, provided that the
@@ -66,6 +66,8 @@
#ifndef OEM_DATA_RSP_SIZE
#define OEM_DATA_RSP_SIZE 1724
+/* Header + VHT80 CIR * 2 chains */
+#define OEM_DATA_DMA_BUFF_SIZE (64 + 512 * 4 * 2)
#endif
/**