Página inicial Explorar Ajuda
Entrar
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Arquivos Issues 0 Pull Requests 0 Wiki
Ver código fonte

qcacld-3.0: Fix use after free in roaming disassoc rsp handler

During Rome LFR2 roaming, after pre-auth with new AP finished,
current AP is disassociated. In disassoc rsp handler:
csr_roam_roaming_state_disassoc_rsp_processor,
csr_roam_copy_profile is called after csr_dequeue_command.
In csr_dequeue_command, cmd from active list is removed, cmd from
pending cmd list is moved to active list and executed, if the cmd
is disassoc from wpa supplicant, pSession->pCurRoamProfile is
freed,  use after free happens in csr_roam_copy_profile

call stack when issue happens:

csr_roam_roaming_state_disassoc_rsp_processor
 ->csr_dequeue_command
    ->wlan_serialization_dequeue_cmd
       ->wlan_serialization_move_pending_to_active
          ->wlan_serialization_activate_cmd
             ->sme_ser_handle_active_cmd
                ->csr_roam_process_command
                   ->csr_roam_process_disassoc_deauth
                   -> csr_free_roam_profile
 ->csr_roam_copy_profile

Fixed by calling csr_dequeue_command after csr_roam_copy_profile

Change-Id: I903795e830c153b94a7dc0476a0e8ea5ecf6be2f
CRs-Fixed: 2205645
Zhu Jianmin 7 anos atrás
pai
8831a53dbe
commit
3c83a848cb
1 arquivos alterados com 9 adições e 7 exclusões
Visão dividida Mostrar estatísticas do Diff
  1. 9 7
      core/sme/src/csr/csr_api_roam.c

+ 9 - 7
core/sme/src/csr/csr_api_roam.c
Ver arquivo 

@@ -10101,12 +10101,6 @@ void csr_roam_roaming_state_disassoc_rsp_processor(tpAniSirGlobal pMac,
 
 						pNeighborRoamInfo, &hBSSList))
 
 			goto POST_ROAM_FAILURE;
 
 
-		/*
 
-		 * After ensuring that the roam profile is in the scan result
 
-		 * list, dequeue the command from the active list.
 
-		 */
 
-		csr_dequeue_command(pMac);
 
-
 
 		/* notify HDD about handoff and provide the BSSID too */
 
 		roamInfo->reasonCode = eCsrRoamReasonBetterAP;
 
 
@@ -10132,6 +10126,12 @@ void csr_roam_roaming_state_disassoc_rsp_processor(tpAniSirGlobal pMac,
 
 					      NULL);
 
 			csr_roam_copy_profile(pMac, pCurRoamProfile,
 
 					      pSession->pCurRoamProfile);
 
+			/*
 
+			 * After ensuring that the roam profile is in the scan
 
+			 * result list, and pSession->pCurRoamProfile is saved,
 
+			 * dequeue the command from the active list.
 
+			 */
 
+			csr_dequeue_command(pMac);
 
 			/* make sure to put it at the head of the cmd queue */
 
 			status = csr_roam_issue_connect(pMac, sessionId,
 
 					pCurRoamProfile, hBSSList,
 
@@ -10149,7 +10149,9 @@ void csr_roam_roaming_state_disassoc_rsp_processor(tpAniSirGlobal pMac,
 
 			qdf_mem_free(roamInfo);
 
 			return;
 
 		} else {
 
-			csr_scan_result_purge(pMac, hBSSList);
 
+			sme_err("pCurRoamProfile memory alloc failed");
 
+			QDF_ASSERT(0);
 
+			csr_dequeue_command(pMac);
 
 		}
 
 		csr_scan_result_purge(pMac, hBSSList);