From 86812026a0cf0e56bd8ee11ef4f61a5488d24532 Mon Sep 17 00:00:00 2001
From: abhinav kumar <abhikuma@codeaurora.org>
Date: Wed, 11 Aug 2021 22:19:11 +0530
Subject: [PATCH] qcacmn: Possible Integer overflow in wifi_pos_oem_rsp_handler

API "target_if_wifi_pos_oem_rsp_ev_handler" is the handler for
the event with WMI_OEM_RESPONSE_EVENTID. Host receives
"rsp->dma_len" from fw. The integer overflow occurs if
"oem_rsp->dma_len" is big enough while calculating the total
length of the Oem Data response buffer.

Fix is to add a sanity check for rsp->dma_len to avoid integer
overflow.

Change-Id: Idfbd358f62534eae0147f03505ced5728877a269
CRs-Fixed: 3001191
---
 target_if/wifi_pos/src/target_if_wifi_pos.c | 13 ++++++++++++-
 umac/wifi_pos/src/wifi_pos_utils_i.h        |  4 +++-
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/target_if/wifi_pos/src/target_if_wifi_pos.c b/target_if/wifi_pos/src/target_if_wifi_pos.c
index 27d4d359f4..15e1fa69cb 100644
--- a/target_if/wifi_pos/src/target_if_wifi_pos.c
+++ b/target_if/wifi_pos/src/target_if_wifi_pos.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2020 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2013-2021 The Linux Foundation. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -92,6 +92,7 @@ static QDF_STATUS target_if_wifi_pos_get_indirect_data(
 	void *paddr = NULL;
 	uint32_t addr_hi;
 	uint8_t ring_idx = 0, num_rings;
+	uint32_t allocated_len;
 
 	if (!indirect) {
 		target_if_debug("no indirect data. regular event received");
@@ -104,6 +105,16 @@ static QDF_STATUS target_if_wifi_pos_get_indirect_data(
 		target_if_err("incorrect pdev_id: %d", indirect->pdev_id);
 		return QDF_STATUS_E_INVAL;
 	}
+
+	allocated_len = priv_obj->dma_cap[ring_idx].min_buf_size +
+				(priv_obj->dma_cap[ring_idx].min_buf_align - 1);
+	if (indirect->len > allocated_len ||
+	    indirect->len > OEM_DATA_DMA_BUFF_SIZE) {
+		target_if_err("Invalid indirect len: %d, allocated_len:%d",
+			      indirect->len, allocated_len);
+		return QDF_STATUS_E_INVAL;
+	}
+
 	addr_hi = (uint64_t)WMI_OEM_DMA_DATA_ADDR_HI_GET(
 						indirect->addr_hi);
 	paddr = (void *)((uint64_t)addr_hi << 32 | indirect->addr_lo);
diff --git a/umac/wifi_pos/src/wifi_pos_utils_i.h b/umac/wifi_pos/src/wifi_pos_utils_i.h
index 206a729c21..b9fa8b69e0 100644
--- a/umac/wifi_pos/src/wifi_pos_utils_i.h
+++ b/umac/wifi_pos/src/wifi_pos_utils_i.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2020 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2021 The Linux Foundation. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -64,6 +64,8 @@ struct wifi_pos_req_msg;
 
 #ifndef OEM_DATA_RSP_SIZE
 #define OEM_DATA_RSP_SIZE 1724
+/* Header + VHT80 CIR * 2 chains */
+#define OEM_DATA_DMA_BUFF_SIZE (64 + 512 * 4 * 2)
 #endif
 
 /**