From 34b51d3dcc9393ed2e3b7b22116992c8daf4c468 Mon Sep 17 00:00:00 2001 From: Srinivas Pitla Date: Mon, 13 Apr 2020 11:59:57 -0700 Subject: [PATCH] qcacmn: Free nbuf on bpr disabled case only If tx capture, sniffer are not enabled, mgmt nbuf is freed. It is causing use-after-free in bpr enabled case Added change to free only when bpr is disabled Change-Id: Ia56254ca371cd9fbc21f5d58fac7ea96792d0bee CRs-Fixed: 2663098 --- dp/wifi3.0/dp_htt.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/dp/wifi3.0/dp_htt.c b/dp/wifi3.0/dp_htt.c index 09a402aad7..a518b8776c 100644 --- a/dp/wifi3.0/dp_htt.c +++ b/dp/wifi3.0/dp_htt.c @@ -3008,7 +3008,8 @@ void dp_deliver_mgmt_frm(struct dp_pdev *pdev, qdf_nbuf_t nbuf) nbuf, HTT_INVALID_PEER, WDI_NO_VAL, pdev->pdev_id); } else { - qdf_nbuf_free(nbuf); + if (!pdev->bpr_enable) + qdf_nbuf_free(nbuf); } } #endif