samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Rozštěpit 0
Zdrojový kód Úkoly Pull requesty Akce Balíčky Projekty Vydání Wiki Aktivita

qcacld-3.0: Fix use after free in sme_qos_del_ts_req

Procházet zdrojové kódy 
In sme_qos_del_ts_req, there is a chance that driver can access
del ts req pMsg even after free. In umac_send_mb_message_to_mac
driver frees pMsg if there is some failure. But driver still
tries to access pMsg in sme_qos_del_ts_req even if umac_send_mb_
message_to_mac returns failure.

Access pMsg only if umac_send_mb_message_to_mac returns success
to avoid this use after free issue.

Change-Id: I3638a38746b9cd917e01a7ff6f38430344e6e78d
CRs-Fixed: 2214718
Tento commit je obsažen v:
Padma, Santhosh Kumar
2018-04-06 18:45:28 +05:30
odevzdal nshrivas
rodič 33fcd68b5b
revize 96086a6d52
1 změnil soubory, kde provedl 16 přidání a 17 odebrání
Stáhněte soubor záplaty Stáhněte rozdílový soubor Rozbalit všechny soubory Sbalit všechny soubory

33
core/sme/src/qos/sme_qos.c
Zobrazit soubor

@@ -4113,7 +4113,6 @@ static QDF_STATUS sme_qos_del_ts_req(tpAniSirGlobal pMac,
struct sme_qos_acinfo *pACInfo;
tSirDeltsReq *pMsg;
struct sme_qos_wmmtspecinfo *pTspecInfo;
QDF_STATUS status = QDF_STATUS_E_FAILURE;
#ifdef FEATURE_WLAN_DIAG_SUPPORT
WLAN_HOST_DIAG_EVENT_DEF(qos, host_event_wlan_qos_payload_type);
@@ -4183,23 +4182,23 @@ static QDF_STATUS sme_qos_del_ts_req(tpAniSirGlobal pMac,
pTspecInfo->ts_info.up, pTspecInfo->ts_info.tid);
qdf_mem_zero(&pACInfo->curr_QoSInfo[tspec_mask - 1],
sizeof(struct sme_qos_wmmtspecinfo));
if (QDF_IS_STATUS_SUCCESS(umac_send_mb_message_to_mac(pMsg))) {
status = QDF_STATUS_SUCCESS;
QDF_TRACE(QDF_MODULE_ID_SME, QDF_TRACE_LEVEL_DEBUG,
"%s: %d: sme_qos_del_ts_req:Test: sent down a DELTS req to PE",
__func__, __LINE__);
/* event: EVENT_WLAN_QOS */
#ifdef FEATURE_WLAN_DIAG_SUPPORT
qos.eventId = SME_QOS_DIAG_DELTS;
qos.reasonCode = SME_QOS_DIAG_USER_REQUESTED;
WLAN_HOST_DIAG_EVENT_REPORT(&qos, EVENT_WLAN_QOS);
#endif /* FEATURE_WLAN_DIAG_SUPPORT */
}
sme_set_tspec_uapsd_mask_per_session(pMac,
&pMsg->req.tspec.tsinfo,
sessionId);
return status;
if (!QDF_IS_STATUS_SUCCESS(umac_send_mb_message_to_mac(pMsg))) {
sme_err("DELTS req to PE failed");
return QDF_STATUS_E_FAILURE;
}
sme_debug("sent down a DELTS req to PE");
#ifdef FEATURE_WLAN_DIAG_SUPPORT
qos.eventId = SME_QOS_DIAG_DELTS;
qos.reasonCode = SME_QOS_DIAG_USER_REQUESTED;
WLAN_HOST_DIAG_EVENT_REPORT(&qos, EVENT_WLAN_QOS);
#endif
sme_set_tspec_uapsd_mask_per_session(pMac, &pMsg->req.tspec.tsinfo,
sessionId);
return QDF_STATUS_SUCCESS;
}
/*