Home Explore Help
Sign In
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

qcacld-3.0: Clear Key information from driver memory after disconnect

Currently the key information i.e the key, and the number of keys
are not getting cleared on wifi link disconnection from wifi
driver memory, which can lead to information disclosure.

Clear the key information i.e the number of keys and
keys from wifi driver memory to avoid any potential information
disclore after wifi is turned off.

Change-Id: I45306e0d648c500f63f723b4e3ccb6098c055158
CRs-Fixed: 2415413
gaurank kathpalia 6 years ago
parent
c57f867311
commit
6d25c97f3f
6 changed files with 16 additions and 1 deletions
Split View Show Diff Stats
  1. 2 0
      core/mac/src/pe/lim/lim_process_sme_req_messages.c
  2. 2 0
      core/mac/src/pe/lim/lim_security_utils.c
  3. 1 0
      core/sme/src/common/sme_api.c
  4. 3 1
      core/sme/src/csr/csr_api_roam.c
  5. 4 0
      core/wma/src/wma_mgmt.c
  6. 4 0
      core/wma/src/wma_scan_roam.c

+ 2 - 0
core/mac/src/pe/lim/lim_process_sme_req_messages.c
View File 

@@ -3607,6 +3607,7 @@ static void __lim_process_roam_scan_offload_req(struct mac_context *mac_ctx,
 
 
 	local_ie_buf = qdf_mem_malloc(MAX_DEFAULT_SCAN_IE_LEN);
 
 	if (!local_ie_buf) {
 
+		qdf_mem_zero(req_buffer, sizeof(*req_buffer));
 
 		qdf_mem_free(req_buffer);
 
 		return;
 
 	}
 
@@ -3634,6 +3635,7 @@ static void __lim_process_roam_scan_offload_req(struct mac_context *mac_ctx,
 
 	status = wma_post_ctrl_msg(mac_ctx, &wma_msg);
 
 	if (QDF_STATUS_SUCCESS != status) {
 
 		pe_err("Posting WMA_ROAM_SCAN_OFFLOAD_REQ failed");
 
+		qdf_mem_zero(req_buffer, sizeof(*req_buffer));
 
 		qdf_mem_free(req_buffer);
 
 	}
 
 }

+ 2 - 0
core/mac/src/pe/lim/lim_security_utils.c
View File 

@@ -844,6 +844,8 @@ void lim_send_set_bss_key_req(struct mac_context *mac,
 
 
 		/* Respond to SME with LIM_MLM_SETKEYS_CNF */
 
 		mlmSetKeysCnf.resultCode = eSIR_SME_HAL_SEND_MESSAGE_FAIL;
 
+		qdf_mem_zero(pSetBssKeyParams, sizeof(tSetBssKeyParams));
 
+		qdf_mem_free(pSetBssKeyParams);
 
 	} else
 
 		return;         /* Continue after WMA_SET_BSSKEY_RSP... */

+ 1 - 0
core/sme/src/common/sme_api.c
View File 

@@ -6440,6 +6440,7 @@ QDF_STATUS sme_stop_roaming(mac_handle_t mac_handle, uint8_t session_id,
 
 	if (QDF_STATUS_SUCCESS != status) {
 
 		sme_err("WMA_ROAM_SCAN_OFFLOAD_REQ failed, session_id: %d",
 
 			session_id);
 
+		qdf_mem_zero(req, sizeof(*req));
 
 		qdf_mem_free(req);
 
 		return QDF_STATUS_E_FAULT;
 
 	}

+ 3 - 1
core/sme/src/csr/csr_api_roam.c
View File 

@@ -16210,8 +16210,10 @@ QDF_STATUS csr_send_mb_set_context_req_msg(struct mac_context *mac,
 
 		status = scheduler_post_message(QDF_MODULE_ID_SME,
 
 						QDF_MODULE_ID_PE,
 
 						QDF_MODULE_ID_PE, &msg);
 
-		if (QDF_IS_STATUS_ERROR(status))
 
+		if (QDF_IS_STATUS_ERROR(status)) {
 
+			qdf_mem_zero(pMsg, msgLen);
 
 			qdf_mem_free(pMsg);
 
+		}
 
 	} while (0);
 
 	return status;
 
 }

+ 4 - 0
core/wma/src/wma_mgmt.c
View File 

@@ -2149,6 +2149,7 @@ static QDF_STATUS wma_setup_install_key_cmd(tp_wma_handle wma_handle,
 
 		iface->is_waiting_for_key = false;
 
 
 end:
 
+	qdf_mem_zero(&params, sizeof(struct set_key_params));
 
 	return status;
 
 }
 
 #endif
 
@@ -2380,6 +2381,8 @@ void wma_set_bsskey(tp_wma_handle wma_handle, tpSetBssKeyParams key_info)
 
 	/* TODO: Should we wait till we get HTT_T2H_MSG_TYPE_SEC_IND? */
 
 	key_info->status = QDF_STATUS_SUCCESS;
 
 
+	qdf_mem_zero(&key_params, sizeof(struct wma_set_key_params));
 
+
 
 out:
 
 	wma_send_msg_high_priority(wma_handle, WMA_SET_BSSKEY_RSP,
 
 				   (void *)key_info, 0);
 
@@ -2603,6 +2606,7 @@ void wma_set_stakey(tp_wma_handle wma_handle, tpSetStaKeyParams key_info)
 
 	/* TODO: Should we wait till we get HTT_T2H_MSG_TYPE_SEC_IND? */
 
 	key_info->status = QDF_STATUS_SUCCESS;
 
 out:
 
+	qdf_mem_zero(&key_params, sizeof(struct wma_set_key_params));
 
 	if (key_info->sendRsp)
 
 		wma_send_msg_high_priority(wma_handle, WMA_SET_STAKEY_RSP,
 
 					   (void *)key_info, 0);

+ 4 - 0
core/wma/src/wma_scan_roam.c
View File 

@@ -398,6 +398,7 @@ QDF_STATUS wma_roam_scan_offload_mode(tp_wma_handle wma_handle,
 
 
 	status = wmi_unified_roam_scan_offload_mode_cmd(wma_handle->wmi_handle,
 
 				scan_cmd_fp, params);
 
+	qdf_mem_zero(params, sizeof(*params));
 
 	qdf_mem_free(params);
 
 	if (QDF_IS_STATUS_ERROR(status))
 
 		return status;
 
@@ -1532,6 +1533,7 @@ QDF_STATUS wma_process_roaming_config(tp_wma_handle wma_handle,
 
 
 	if (!mac) {
 
 		WMA_LOGE("%s: mac is NULL", __func__);
 
+		qdf_mem_zero(roam_req, sizeof(*roam_req));
 
 		qdf_mem_free(roam_req);
 
 		return QDF_STATUS_E_FAILURE;
 
 	}
 
@@ -1540,6 +1542,7 @@ QDF_STATUS wma_process_roaming_config(tp_wma_handle wma_handle,
 
 		/* roam scan offload is not enabled in firmware.
 
 		 * Cannot initialize it in the middle of connection.
 
 		 */
 
+		qdf_mem_zero(roam_req, sizeof(*roam_req));
 
 		qdf_mem_free(roam_req);
 
 		return QDF_STATUS_E_PERM;
 
 	}
 
@@ -1925,6 +1928,7 @@ QDF_STATUS wma_process_roaming_config(tp_wma_handle wma_handle,
 
 	default:
 
 		break;
 
 	}
 
+	qdf_mem_zero(roam_req, sizeof(*roam_req));
 
 	qdf_mem_free(roam_req);
 
 	return qdf_status;
 
 }