wifi: Clear ring bufffers on detecting buffer corruption

While appending the newly received buffer to ring buffer list, check the size of the first buffer in the ring buffer list. If it is invalid(zero size or exceeding the max allowed size), return failure & clear all the ring buffers. Bug: 232477451 Test: vts test - 1.6/default/tests/runtests.sh Test: Manual - Ran basic wifi tests & checked bugreports Change-Id: Iaa41262f534914b971fe178053f1974248a46e70
author: Sunil Ravi <sunilravi@google.com> 2022-05-17 18:01:06 -0700
committer: Sunil Ravi <sunilravi@google.com> 2022-05-23 11:20:57 -0700
commit: 07ef191b5a16f08cef8518827c3cd7a66f387b51 (patch)
tree: 75095e57fbf75b6d7cff973aa9d9c75cbd0d29b8 /wifi/1.6/default/wifi_chip.cpp
parent: aff537b777f4ce0f0d41fef30981d7424b285a83 (diff)
1 files changed, 13 insertions, 1 deletions
diff --git a/wifi/1.6/default/wifi_chip.cpp b/wifi/1.6/default/wifi_chip.cpp
index f062409d4e..c7c00b17fd 100644
--- a/wifi/1.6/default/wifi_chip.cpp
+++ b/wifi/1.6/default/wifi_chip.cpp
@@ -1613,6 +1613,7 @@ WifiStatus WifiChip::registerDebugRingBufferCallback() {
                     return;
                 }
                 WifiDebugRingBufferStatus hidl_status;
+                Ringbuffer::AppendStatus appendstatus;
                 if (!hidl_struct_util::convertLegacyDebugRingBufferStatusToHidl(status,
                                                                                 &hidl_status)) {
                     LOG(ERROR) << "Error converting ring buffer status";
@@ -1623,13 +1624,19 @@ WifiStatus WifiChip::registerDebugRingBufferCallback() {
                     const auto& target = shared_ptr_this->ringbuffer_map_.find(name);
                     if (target != shared_ptr_this->ringbuffer_map_.end()) {
                         Ringbuffer& cur_buffer = target->second;
-                        cur_buffer.append(data);
+                        appendstatus = cur_buffer.append(data);
                     } else {
                         LOG(ERROR) << "Ringname " << name << " not found";
                         return;
                     }
                     // unique_lock unlocked here
                 }
+                if (appendstatus == Ringbuffer::AppendStatus::FAIL_RING_BUFFER_CORRUPTED) {
+                    LOG(ERROR) << "Ringname " << name << " is corrupted. Clear the ring buffer";
+                    shared_ptr_this->writeRingbufferFilesInternal();
+                    return;
+                }
+
             };
     legacy_hal::wifi_error legacy_status = legacy_hal_.lock()->registerRingBufferCallbackHandler(
             getFirstActiveWlanIfaceName(), on_ring_buffer_data_callback);
@@ -1971,6 +1978,11 @@ bool WifiChip::writeRingbufferFilesInternal() {
             }
             unique_fd file_auto_closer(dump_fd);
             for (const auto& cur_block : cur_buffer.getData()) {
+                if (cur_block.size() <= 0 || cur_block.size() > kMaxBufferSizeBytes) {
+                    PLOG(ERROR) << "Ring buffer: " << item.first
+                                << " is corrupted. Invalid block size: " << cur_block.size();
+                    break;
+                }
                 if (write(dump_fd, cur_block.data(), sizeof(cur_block[0]) * cur_block.size()) ==
                     -1) {
                     PLOG(ERROR) << "Error writing to file";
author	Sunil Ravi <sunilravi@google.com>	2022-05-17 18:01:06 -0700
committer	Sunil Ravi <sunilravi@google.com>	2022-05-23 11:20:57 -0700
commit	07ef191b5a16f08cef8518827c3cd7a66f387b51 (patch)
tree	75095e57fbf75b6d7cff973aa9d9c75cbd0d29b8 /wifi/1.6/default/wifi_chip.cpp
parent	aff537b777f4ce0f0d41fef30981d7424b285a83 (diff)