Explorar el Código

qcacld-3.0: Fix read after free issue

If host invoke roam failed, roam request is freed from vdev when
EV_ROAM_INVOKE_FAIL is handled, can't access it after that.

Change-Id: Ia486a18a6213fce693f85e8f633d343a367ab6e2
CRs-Fixed: 3178286
Jianmin Zhu hace 3 años
padre
commit
7f667d844b

+ 3 - 1
components/umac/mlme/connection_mgr/core/src/wlan_cm_roam_fw_sync.c

@@ -1012,6 +1012,7 @@ QDF_STATUS cm_fw_roam_invoke_fail(struct wlan_objmgr_psoc *psoc,
 	enum wlan_cm_source source;
 	struct cnx_mgr *cm_ctx;
 	struct cm_roam_req *roam_req = NULL;
+	struct qdf_mac_addr bssid;
 
 	vdev = wlan_objmgr_get_vdev_by_id_from_psoc(psoc,
 						    vdev_id,
@@ -1037,6 +1038,7 @@ QDF_STATUS cm_fw_roam_invoke_fail(struct wlan_objmgr_psoc *psoc,
 
 	cm_id = roam_req->cm_id;
 	source = roam_req->req.source;
+	bssid = roam_req->req.bssid;
 
 	status = cm_sm_deliver_event(vdev, WLAN_CM_SM_EV_ROAM_INVOKE_FAIL,
 				     sizeof(wlan_cm_id), &cm_id);
@@ -1051,7 +1053,7 @@ QDF_STATUS cm_fw_roam_invoke_fail(struct wlan_objmgr_psoc *psoc,
 	 * highest score. It is requirement from customer which can avoid
 	 * ping-pong roaming.
 	 */
-	if (qdf_is_macaddr_broadcast(&roam_req->req.bssid))
+	if (qdf_is_macaddr_broadcast(&bssid))
 		mlme_debug("Keep current connection");
 	else if (source == CM_ROAMING_HOST || source == CM_ROAMING_NUD_FAILURE)
 		status = mlo_disconnect(vdev, CM_ROAM_DISCONNECT,