bcmdhd: Fixed possible OOB write in msgbuf handler
Bug: 350472698
Test: Regression Test
Change-Id: I65f40943fd8b8b49edaa7f9c984d074044656903
Signed-off-by: Dennis Jeon <dennis.jeon@broadcom.corp-partner.google.com>
(cherry picked from commit 26ad588272b54bf267c4882dda3592c115e0116f)
diff --git a/dhd_pcie.c b/dhd_pcie.c
index c840b44..46af8c2 100644
--- a/dhd_pcie.c
+++ b/dhd_pcie.c
@@ -15810,10 +15810,10 @@
DHD_INFO(("%s :Flow Response %d \n", __FUNCTION__, flowid));
/* Boundary check of the flowid */
- if (flowid > bus->dhd->max_tx_flowid) {
- DHD_ERROR(("%s: flowid is invalid %d, max id %d\n", __FUNCTION__,
- flowid, bus->dhd->max_tx_flowid));
- return;
+ if (DHD_FLOW_RING_INV_ID(bus->dhd, flowid)) {
+ DHD_ERROR(("%s: invalid flowid:%d alloc_max:%d fid_max:%d\n",
+ __FUNCTION__, flowid, bus->dhd->num_h2d_rings,
+ bus->dhd->max_tx_flowid));
}
flow_ring_node = DHD_FLOW_RING(bus->dhd, flowid);
@@ -15917,10 +15917,10 @@
DHD_INFO(("%s :Flow Delete Response %d \n", __FUNCTION__, flowid));
/* Boundary check of the flowid */
- if (flowid > bus->dhd->max_tx_flowid) {
- DHD_ERROR(("%s: flowid is invalid %d, max id %d\n", __FUNCTION__,
- flowid, bus->dhd->max_tx_flowid));
- return;
+ if (DHD_FLOW_RING_INV_ID(bus->dhd, flowid)) {
+ DHD_ERROR(("%s: invalid flowid:%d alloc_max:%d fid_max:%d\n",
+ __FUNCTION__, flowid, bus->dhd->num_h2d_rings,
+ bus->dhd->max_tx_flowid));
}
flow_ring_node = DHD_FLOW_RING(bus->dhd, flowid);
@@ -16000,10 +16000,10 @@
}
/* Boundary check of the flowid */
- if (flowid > bus->dhd->max_tx_flowid) {
- DHD_ERROR(("%s: flowid is invalid %d, max id %d\n", __FUNCTION__,
- flowid, bus->dhd->max_tx_flowid));
- return;
+ if (DHD_FLOW_RING_INV_ID(bus->dhd, flowid)) {
+ DHD_ERROR(("%s: invalid flowid:%d alloc_max:%d fid_max:%d\n",
+ __FUNCTION__, flowid, bus->dhd->num_h2d_rings,
+ bus->dhd->max_tx_flowid));
}
flow_ring_node = DHD_FLOW_RING(bus->dhd, flowid);
