samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacld-3.0: Change static declaration to dynamic allocation

Browse Source 
In function hdd_hostapd_sap_event_cb() there are variables that are
defined in the stack. This can cause stack overflow in certain cases.

Change the declaration of the variables to dynamic memory allocation.

Change-Id: Ic8dca63c57110a92f19a438b2ea9c7ab9936af97
CRs-Fixed: 2446590
This commit is contained in:
Sourav Mohapatra
2019-05-06 15:28:54 +05:30
committed by nshrivas
parent 0b135d1c9f
commit 9793868536
1 changed files with 38 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
core/hdd/src/wlan_hdd_hostapd.c
View File

@@ -101,6 +101,8 @@
/* Defines the BIT position of HE caps is support mode field of stainfo */ /* Defines the BIT position of HE caps is support mode field of stainfo */
#define HDD_HE_CAPS_PRESENT 2 #define HDD_HE_CAPS_PRESENT 2
#define HDD_MAX_CUSTOM_START_EVENT_SIZE 64
/* /*
* 11B, 11G Rate table include Basic rate and Extended rate * 11B, 11G Rate table include Basic rate and Extended rate
* The IDX field is the rate index * The IDX field is the rate index
@@ -1721,9 +1723,9 @@ QDF_STATUS hdd_hostapd_sap_event_cb(struct sap_event *sap_event,
uint8_t sta_id; uint8_t sta_id;
QDF_STATUS qdf_status; QDF_STATUS qdf_status;
bool bAuthRequired = true; bool bAuthRequired = true;
char unknownSTAEvent[IW_CUSTOM_MAX + 1]; char *unknownSTAEvent = NULL;
char maxAssocExceededEvent[IW_CUSTOM_MAX + 1]; char *maxAssocExceededEvent = NULL;
uint8_t we_custom_start_event[64]; uint8_t *we_custom_start_event = NULL;
char *startBssEvent; char *startBssEvent;
struct hdd_context *hdd_ctx; struct hdd_context *hdd_ctx;
struct iw_michaelmicfailure msg; struct iw_michaelmicfailure msg;
@@ -1911,10 +1913,15 @@ QDF_STATUS hdd_hostapd_sap_event_cb(struct sap_event *sap_event,
/* Fill the params for sending IWEVCUSTOM Event /* Fill the params for sending IWEVCUSTOM Event
* with SOFTAP.enabled * with SOFTAP.enabled
*/ */
we_custom_start_event =
qdf_mem_malloc(HDD_MAX_CUSTOM_START_EVENT_SIZE);
if (!we_custom_start_event)
goto stopbss;
startBssEvent = "SOFTAP.enabled"; startBssEvent = "SOFTAP.enabled";
memset(&we_custom_start_event, '\0', memset(we_custom_start_event, '\0',
sizeof(we_custom_start_event)); sizeof(HDD_MAX_CUSTOM_START_EVENT_SIZE));
memcpy(&we_custom_start_event, startBssEvent, memcpy(we_custom_start_event, startBssEvent,
strlen(startBssEvent)); strlen(startBssEvent));
memset(&wrqu, 0, sizeof(wrqu)); memset(&wrqu, 0, sizeof(wrqu));
wrqu.data.length = strlen(startBssEvent); wrqu.data.length = strlen(startBssEvent);
@@ -2433,6 +2440,10 @@ QDF_STATUS hdd_hostapd_sap_event_cb(struct sap_event *sap_event,
return QDF_STATUS_SUCCESS; return QDF_STATUS_SUCCESS;
case eSAP_UNKNOWN_STA_JOIN: case eSAP_UNKNOWN_STA_JOIN:
unknownSTAEvent = qdf_mem_malloc(IW_CUSTOM_MAX + 1);
if (!unknownSTAEvent)
return QDF_STATUS_E_NOMEM;
snprintf(unknownSTAEvent, IW_CUSTOM_MAX, snprintf(unknownSTAEvent, IW_CUSTOM_MAX,
"JOIN_UNKNOWN_STA-"QDF_MAC_ADDR_STR, "JOIN_UNKNOWN_STA-"QDF_MAC_ADDR_STR,
QDF_MAC_ADDR_ARRAY(sap_event->sapevt.sapUnknownSTAJoin.macaddr.bytes)); QDF_MAC_ADDR_ARRAY(sap_event->sapevt.sapUnknownSTAJoin.macaddr.bytes));
@@ -2444,6 +2455,10 @@ QDF_STATUS hdd_hostapd_sap_event_cb(struct sap_event *sap_event,
break; break;
case eSAP_MAX_ASSOC_EXCEEDED: case eSAP_MAX_ASSOC_EXCEEDED:
maxAssocExceededEvent = qdf_mem_malloc(IW_CUSTOM_MAX + 1);
if (!maxAssocExceededEvent)
return QDF_STATUS_E_NOMEM;
snprintf(maxAssocExceededEvent, IW_CUSTOM_MAX, snprintf(maxAssocExceededEvent, IW_CUSTOM_MAX,
"Peer "QDF_MAC_ADDR_STR" denied" "Peer "QDF_MAC_ADDR_STR" denied"
" assoc due to Maximum Mobile Hotspot connections reached. Please disconnect" " assoc due to Maximum Mobile Hotspot connections reached. Please disconnect"
@@ -2617,12 +2632,15 @@ QDF_STATUS hdd_hostapd_sap_event_cb(struct sap_event *sap_event,
} }
wireless_send_event(dev, we_event, &wrqu, wireless_send_event(dev, we_event, &wrqu,
(char *)we_custom_event_generic); (char *)we_custom_event_generic);
qdf_mem_free(we_custom_start_event);
qdf_mem_free(unknownSTAEvent);
qdf_mem_free(maxAssocExceededEvent);
return QDF_STATUS_SUCCESS; return QDF_STATUS_SUCCESS;
stopbss: stopbss:
{ {
uint8_t we_custom_event[64]; uint8_t *we_custom_event;
char *stopBssEvent = "STOP-BSS.response"; /* 17 */ char *stopBssEvent = "STOP-BSS.response"; /* 17 */
int event_len = strlen(stopBssEvent); int event_len = strlen(stopBssEvent);
@@ -2662,9 +2680,15 @@ stopbss:
} }
} }
we_custom_event =
qdf_mem_malloc(HDD_MAX_CUSTOM_START_EVENT_SIZE);
if (!we_custom_event)
return QDF_STATUS_E_NOMEM;
/* notify userspace that the BSS has stopped */ /* notify userspace that the BSS has stopped */
memset(&we_custom_event, '\0', sizeof(we_custom_event)); memset(we_custom_event, '\0',
memcpy(&we_custom_event, stopBssEvent, event_len); sizeof(HDD_MAX_CUSTOM_START_EVENT_SIZE));
memcpy(we_custom_event, stopBssEvent, event_len);
memset(&wrqu, 0, sizeof(wrqu)); memset(&wrqu, 0, sizeof(wrqu));
wrqu.data.length = event_len; wrqu.data.length = event_len;
we_event = IWEVCUSTOM; we_event = IWEVCUSTOM;
@@ -2672,6 +2696,11 @@ stopbss:
wireless_send_event(dev, we_event, &wrqu, wireless_send_event(dev, we_event, &wrqu,
(char *)we_custom_event_generic); (char *)we_custom_event_generic);
qdf_mem_free(we_custom_start_event);
qdf_mem_free(unknownSTAEvent);
qdf_mem_free(maxAssocExceededEvent);
qdf_mem_free(we_custom_event);
/* once the event is set, structure dev/adapter should /* once the event is set, structure dev/adapter should
* not be touched since they are now subject to being deleted * not be touched since they are now subject to being deleted
* by another thread * by another thread