samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Bifurcation 0
Code Tickets Demandes d'ajout Actions Paquets Projets Publications Wiki Activité

qcacmn: Fix memleak in MBSSIE handler

Parcourir la source 
For corrupt beacon frame, the memory allocated for
split_prof_start is getting allocated for split
profile case. But since there are no other nonTx
profile or new MBSSID element present afterwards,
Hence, added mem free to handle this scenario.

Change-Id: I6b93ae0be97d72264071d1ce99345f8c0c23f81d
CRs-Fixed: 3156909
Cette révision appartient à :
Adwait Nayak
2022-04-02 00:06:04 +05:30
révisé par Madan Koyyalamudi
Parent 7f9da4ae12
révision 3799e7e5ad
1 fichiers modifiés avec 23 ajouts et 5 suppressions
Télécharger le Fichier Patch Télécharger le Fichier des Différences Développer tous les fichiers Réduire tous les fichiers

28
umac/scan/dispatcher/src/wlan_scan_utils_api.c
Voir le fichier

@@ -2763,8 +2763,10 @@ static QDF_STATUS util_scan_parse_mbssid(struct wlan_objmgr_pdev *pdev,
subie_len,
mbssid_info.split_prof_continue,
mbssid_info.prof_residue);
if (mbssid_info.split_prof_continue)
if (mbssid_info.split_prof_continue) {
qdf_mem_free(split_prof_start);
split_prof_start = NULL;
}
qdf_mem_free(new_ie);
return QDF_STATUS_E_INVAL;
@@ -2786,6 +2788,7 @@ static QDF_STATUS util_scan_parse_mbssid(struct wlan_objmgr_pdev *pdev,
subelement[ID_POS],
subelement[TAG_LEN_POS]);
qdf_mem_free(split_prof_start);
split_prof_start = NULL;
qdf_mem_free(new_ie);
return QDF_STATUS_E_INVAL;
} else if (retval == INVALID_NONTX_PROF) {
@@ -2900,14 +2903,21 @@ static QDF_STATUS util_scan_parse_mbssid(struct wlan_objmgr_pdev *pdev,
PAYLOAD_START_POS),
subie_len, new_ie);
if (!new_ie_len)
if (!new_ie_len) {
if (mbssid_info.split_prof_continue) {
qdf_mem_free(split_prof_start);
split_prof_start = NULL;
}
continue;
}
new_frame_len = frame_len - ielen + new_ie_len;
if (new_frame_len < 0) {
if (mbssid_info.split_prof_continue)
if (mbssid_info.split_prof_continue) {
qdf_mem_free(split_prof_start);
split_prof_start = NULL;
}
qdf_mem_free(new_ie);
scm_err("Invalid frame:Stop MBSSIE parsing");
scm_err("Frame_len: %zu,ielen:%u,new_ie_len:%u",
@@ -2917,8 +2927,10 @@ static QDF_STATUS util_scan_parse_mbssid(struct wlan_objmgr_pdev *pdev,
new_frame = qdf_mem_malloc(new_frame_len);
if (!new_frame) {
if (mbssid_info.split_prof_continue)
if (mbssid_info.split_prof_continue) {
qdf_mem_free(split_prof_start);
split_prof_start = NULL;
}
qdf_mem_free(new_ie);
scm_err_rl("Malloc for new_frame failed");
scm_err_rl("split_prof_continue: %d",
@@ -2958,6 +2970,7 @@ static QDF_STATUS util_scan_parse_mbssid(struct wlan_objmgr_pdev *pdev,
if (QDF_IS_STATUS_ERROR(status)) {
if (mbssid_info.split_prof_continue) {
qdf_mem_free(split_prof_start);
split_prof_start = NULL;
qdf_mem_zero(&mbssid_info,
sizeof(mbssid_info));
}
@@ -2968,8 +2981,10 @@ static QDF_STATUS util_scan_parse_mbssid(struct wlan_objmgr_pdev *pdev,
break;
}
/* scan entry makes its own copy so free the frame*/
if (mbssid_info.split_prof_continue)
if (mbssid_info.split_prof_continue) {
qdf_mem_free(split_prof_start);
split_prof_start = NULL;
}
qdf_mem_free(new_frame);
}
@@ -2977,6 +2992,9 @@ static QDF_STATUS util_scan_parse_mbssid(struct wlan_objmgr_pdev *pdev,
}
qdf_mem_free(new_ie);
if (split_prof_start)
qdf_mem_free(split_prof_start);
return QDF_STATUS_SUCCESS;
}
#else