diff --git a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c index 503a2e497975f9c8666c892085ae0b3d821809b5..010db5898cd472b08fc5dd54bb9d2fed0c1171c3 100644 --- a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c +++ b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c @@ -493,7 +493,7 @@ static bool wma_is_vdev_in_ap_mode(tp_wma_handle wma, u_int8_t vdev_id) { struct wma_txrx_node *intf = wma->interfaces; - if (vdev_id > wma->max_bssid) { + if (vdev_id >= wma->max_bssid) { WMA_LOGP("%s: Invalid vdev_id %hu", __func__, vdev_id); VOS_ASSERT(0); return false; @@ -519,7 +519,7 @@ static bool wma_is_vdev_in_ibss_mode(tp_wma_handle wma, u_int8_t vdev_id) { struct wma_txrx_node *intf = wma->interfaces; - if (vdev_id > wma->max_bssid) { + if (vdev_id >= wma->max_bssid) { WMA_LOGP("%s: Invalid vdev_id %hu", __func__, vdev_id); VOS_ASSERT(0); return false; @@ -1294,9 +1294,15 @@ static int wma_vdev_start_rsp_ind(tp_wma_handle wma, u_int8_t *buf) return -EINVAL; } + if (resp_event->vdev_id >= wma->max_bssid) { + WMA_LOGE("%s: received invalid vdev_id %d", + __func__, resp_event->vdev_id); + return -EINVAL; + } + iface = &wma->interfaces[resp_event->vdev_id]; - if ((resp_event->vdev_id <= wma->max_bssid) && + if ((resp_event->vdev_id < wma->max_bssid) && (adf_os_atomic_read( &wma->interfaces[resp_event->vdev_id].vdev_restart_params.hidden_ssid_restart_in_progress)) && (wma_is_vdev_in_ap_mode(wma, resp_event->vdev_id) == true)) { @@ -1889,7 +1895,7 @@ static void wma_delete_all_ibss_peers(tp_wma_handle wma, A_UINT32 vdev_id) ol_txrx_vdev_handle vdev; ol_txrx_peer_handle peer, temp; - if (!wma || vdev_id > wma->max_bssid) + if (!wma || vdev_id >= wma->max_bssid) return; vdev = wma->interfaces[vdev_id].handle; @@ -1931,7 +1937,7 @@ static void wma_delete_all_ap_remote_peers(tp_wma_handle wma, A_UINT32 vdev_id) ol_txrx_vdev_handle vdev; ol_txrx_peer_handle peer, temp; - if (!wma || vdev_id > wma->max_bssid) + if (!wma || vdev_id >= wma->max_bssid) return; vdev = wma->interfaces[vdev_id].handle; @@ -2190,7 +2196,7 @@ static int wma_vdev_stop_ind(tp_wma_handle wma, u_int8_t *buf) resp_event = (wmi_vdev_stopped_event_fixed_param *)buf; - if ((resp_event->vdev_id <= wma->max_bssid) && + if ((resp_event->vdev_id < wma->max_bssid) && (adf_os_atomic_read(&wma->interfaces[resp_event->vdev_id].vdev_restart_params.hidden_ssid_restart_in_progress)) && ((wma->interfaces[resp_event->vdev_id].type == WMI_VDEV_TYPE_AP) && (wma->interfaces[resp_event->vdev_id].sub_type == 0))) { @@ -2229,7 +2235,7 @@ static int wma_vdev_stop_ind(tp_wma_handle wma, u_int8_t *buf) tpDeleteBssParams params = (tpDeleteBssParams)req_msg->user_data; struct beacon_info *bcn; - if (resp_event->vdev_id > wma->max_bssid) { + if (resp_event->vdev_id >= wma->max_bssid) { WMA_LOGE("%s: Invalid vdev_id %d", __func__, resp_event->vdev_id); vos_mem_free(params); @@ -9825,7 +9831,7 @@ VOS_STATUS wma_start_scan(tp_wma_handle wma_handle, int len; tSirScanOffloadEvent *scan_event; - if (scan_req->sessionId > wma_handle->max_bssid) { + if (scan_req->sessionId >= wma_handle->max_bssid) { WMA_LOGE("%s: Invalid vdev_id %d, msg_type : 0x%x", __func__, scan_req->sessionId, msg_type); goto error1; @@ -12732,7 +12738,7 @@ void wma_vdev_resp_timer(void *data) struct beacon_info *bcn; struct wma_txrx_node *iface; - if (tgt_req->vdev_id > wma->max_bssid) { + if (tgt_req->vdev_id >= wma->max_bssid) { WMA_LOGE("%s: Invalid vdev_id %d", __func__, tgt_req->vdev_id); vos_mem_free(params); @@ -23162,7 +23168,7 @@ static VOS_STATUS wma_wow_enter(tp_wma_handle wma, WMA_LOGD("wow enable req received for vdev id: %d", info->sessionId); - if (info->sessionId > wma->max_bssid) { + if (info->sessionId >= wma->max_bssid) { WMA_LOGE("Invalid vdev id (%d)", info->sessionId); vos_mem_free(info); return VOS_STATUS_E_INVAL; @@ -23189,7 +23195,7 @@ static VOS_STATUS wma_wow_exit(tp_wma_handle wma, WMA_LOGD("wow disable req received for vdev id: %d", info->sessionId); - if (info->sessionId > wma->max_bssid) { + if (info->sessionId >= wma->max_bssid) { WMA_LOGE("Invalid vdev id (%d)", info->sessionId); vos_mem_free(info); return VOS_STATUS_E_INVAL; @@ -23222,7 +23228,7 @@ static VOS_STATUS wma_suspend_req(tp_wma_handle wma, tpSirWlanSuspendParam info) wma->no_of_suspend_ind++; - if (info->sessionId > wma->max_bssid) { + if (info->sessionId >= wma->max_bssid) { WMA_LOGE("Invalid vdev id (%d)", info->sessionId); vos_mem_free(info); return VOS_STATUS_E_INVAL; diff --git a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma_nan_datapath.c b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma_nan_datapath.c index c2cd54c2c2684b73a7af98b4b49b2c8b448474e3..6dccfcc7a9e317c1ec48f0cfc997423a9b04f1fb 100644 --- a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma_nan_datapath.c +++ b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma_nan_datapath.c @@ -490,7 +490,7 @@ void wma_delete_all_nan_remote_peers(tp_wma_handle wma, uint32_t vdev_id) ol_txrx_vdev_handle vdev; ol_txrx_peer_handle peer, temp; - if (!wma || vdev_id > wma->max_bssid) + if (!wma || vdev_id >= wma->max_bssid) return; vdev = wma->interfaces[vdev_id].handle;