Browse Source

qcacld-3.0: Fix Mem leak during GTK/IGTK rekey in FT-SuiteB roam

In commit I5aa50145fcd3ba91b1c92d4817b7f0e4fc216e3f for FT-SuiteB
case Memory is allocated for GTK/IGTK in wlan_parse_ftie_sha384
while parsing the FTIE in Assoc/Reassoc response but it is not
freed properly.
This change does the respective mem free wherever required.

Change-Id: I59ccdd234efd2ee693b05426e62d3c2422fb5326
CRs-Fixed: 2747641
Srikanth Marepalli 4 years ago
parent
commit
b3a17c8661

+ 17 - 0
core/mac/src/pe/lim/lim_process_assoc_rsp_frame.c

@@ -586,6 +586,14 @@ lim_handle_pmfcomeback_timer(struct pe_session *session_entry,
 }
 #endif
 
+static void clean_up_ft_sha384(tpSirAssocRsp assoc_rsp, bool sha384_akm)
+{
+	if (sha384_akm) {
+		qdf_mem_free(assoc_rsp->sha384_ft_subelem.gtk);
+		qdf_mem_free(assoc_rsp->sha384_ft_subelem.igtk);
+	}
+}
+
 /**
  * lim_process_assoc_rsp_frame() - Processes assoc response
  * @mac_ctx: Pointer to Global MAC structure
@@ -622,6 +630,8 @@ lim_process_assoc_rsp_frame(struct mac_context *mac_ctx, uint8_t *rx_pkt_info,
 	uint8_t ap_nss;
 	int8_t rssi;
 	QDF_STATUS status;
+	enum ani_akm_type auth_type;
+	bool sha384_akm;
 	tpRRMCaps rrm_caps = &mac_ctx->rrm.rrmPEContext.rrmEnabledCaps;
 
 	assoc_cnf.resultCode = eSIR_SME_SUCCESS;
@@ -793,8 +803,12 @@ lim_process_assoc_rsp_frame(struct mac_context *mac_ctx, uint8_t *rx_pkt_info,
 	lim_update_ese_tspec(mac_ctx, session_entry, assoc_rsp);
 #endif
 
+	auth_type = session_entry->connected_akm;
+	sha384_akm = lim_is_sha384_akm(auth_type);
+
 	if (lim_get_capability_info(mac_ctx, &caps, session_entry)
 		!= QDF_STATUS_SUCCESS) {
+		clean_up_ft_sha384(assoc_rsp, sha384_akm);
 		qdf_mem_free(assoc_rsp);
 		qdf_mem_free(beacon);
 		pe_err("could not retrieve Capabilities");
@@ -829,6 +843,7 @@ lim_process_assoc_rsp_frame(struct mac_context *mac_ctx, uint8_t *rx_pkt_info,
 	/* return if retry again timer is started and ignore this assoc resp */
 	if (QDF_IS_STATUS_SUCCESS(status)) {
 		qdf_mem_free(beacon);
+		clean_up_ft_sha384(assoc_rsp, sha384_akm);
 		qdf_mem_free(assoc_rsp);
 		return;
 	}
@@ -1032,6 +1047,7 @@ lim_process_assoc_rsp_frame(struct mac_context *mac_ctx, uint8_t *rx_pkt_info,
 		assoc_cnf.protStatusCode = eSIR_SME_SUCCESS;
 		lim_post_sme_message(mac_ctx, LIM_MLM_ASSOC_CNF,
 			(uint32_t *) &assoc_cnf);
+		clean_up_ft_sha384(assoc_rsp, sha384_akm);
 		qdf_mem_free(assoc_rsp);
 		qdf_mem_free(beacon);
 		return;
@@ -1116,6 +1132,7 @@ lim_process_assoc_rsp_frame(struct mac_context *mac_ctx, uint8_t *rx_pkt_info,
 			beacon,
 			&session_entry->lim_join_req->bssDescription, true,
 			 session_entry)) {
+		clean_up_ft_sha384(assoc_rsp, sha384_akm);
 		qdf_mem_free(assoc_rsp);
 		qdf_mem_free(beacon);
 		return;

+ 5 - 0
core/mac/src/pe/lim/lim_process_deauth_frame.c

@@ -325,6 +325,7 @@ void lim_perform_deauth(struct mac_context *mac_ctx, struct pe_session *pe_sessi
 	tLimMlmAssocCnf mlmAssocCnf;
 	uint16_t aid;
 	tpDphHashNode sta_ds;
+	tpSirAssocRsp assoc_rsp;
 
 	sta_ds = dph_lookup_hash_entry(mac_ctx, addr, &aid,
 				       &pe_session->dph.dphHashTable);
@@ -537,6 +538,10 @@ void lim_perform_deauth(struct mac_context *mac_ctx, struct pe_session *pe_sessi
 			lim_delete_pre_auth_node(mac_ctx, addr);
 
 		if (pe_session->limAssocResponseData) {
+			assoc_rsp = (tpSirAssocRsp) pe_session->
+					limAssocResponseData;
+			qdf_mem_free(assoc_rsp->sha384_ft_subelem.gtk);
+			qdf_mem_free(assoc_rsp->sha384_ft_subelem.igtk);
 			qdf_mem_free(pe_session->limAssocResponseData);
 			pe_session->limAssocResponseData = NULL;
 		}

+ 5 - 0
core/mac/src/pe/lim/lim_process_disassoc_frame.c

@@ -363,6 +363,7 @@ void lim_perform_disassoc(struct mac_context *mac_ctx, int32_t frame_rssi,
 	tLimMlmDisassocInd mlmDisassocInd;
 	uint16_t aid;
 	tpDphHashNode sta_ds;
+	tpSirAssocRsp assoc_rsp;
 
 	sta_ds = dph_lookup_hash_entry(mac_ctx, addr, &aid,
 				       &pe_session->dph.dphHashTable);
@@ -393,6 +394,10 @@ void lim_perform_disassoc(struct mac_context *mac_ctx, int32_t frame_rssi,
 		pe_debug("received Disassoc from AP while waiting for Reassoc Rsp");
 
 		if (pe_session->limAssocResponseData) {
+			assoc_rsp = (tpSirAssocRsp) pe_session->
+						limAssocResponseData;
+			qdf_mem_free(assoc_rsp->sha384_ft_subelem.gtk);
+			qdf_mem_free(assoc_rsp->sha384_ft_subelem.igtk);
 			qdf_mem_free(pe_session->limAssocResponseData);
 			pe_session->limAssocResponseData = NULL;
 		}

+ 4 - 0
core/mac/src/pe/lim/lim_reassoc_utils.c

@@ -204,6 +204,8 @@ void lim_handle_del_bss_in_re_assoc_context(struct mac_context *mac,
 			qdf_mem_free(beacon_struct);
 			goto error;
 		}
+		qdf_mem_free(assocRsp->sha384_ft_subelem.gtk);
+		qdf_mem_free(assocRsp->sha384_ft_subelem.igtk);
 		qdf_mem_free(assocRsp);
 		qdf_mem_free(beacon_struct);
 		pe_session->limAssocResponseData = NULL;
@@ -325,6 +327,8 @@ void lim_handle_add_bss_in_re_assoc_context(struct mac_context *mac,
 			qdf_mem_free(pBeaconStruct);
 			goto Error;
 		}
+		qdf_mem_free(assocRsp->sha384_ft_subelem.gtk);
+		qdf_mem_free(assocRsp->sha384_ft_subelem.igtk);
 		qdf_mem_free(assocRsp);
 		pe_session->limAssocResponseData = NULL;
 		qdf_mem_free(pBeaconStruct);

+ 4 - 0
core/mac/src/pe/lim/lim_session.c

@@ -847,6 +847,7 @@ void pe_delete_session(struct mac_context *mac_ctx, struct pe_session *session)
 	uint16_t n;
 	TX_TIMER *timer_ptr;
 	struct wlan_objmgr_vdev *vdev;
+	tpSirAssocRsp assoc_rsp;
 
 	if (!session || (session && !session->valid)) {
 		pe_debug("session already deleted or not valid");
@@ -968,6 +969,9 @@ void pe_delete_session(struct mac_context *mac_ctx, struct pe_session *session)
 		session->parsedAssocReq = NULL;
 	}
 	if (session->limAssocResponseData) {
+		assoc_rsp = (tpSirAssocRsp) session->limAssocResponseData;
+		qdf_mem_free(assoc_rsp->sha384_ft_subelem.gtk);
+		qdf_mem_free(assoc_rsp->sha384_ft_subelem.igtk);
 		qdf_mem_free(session->limAssocResponseData);
 		session->limAssocResponseData = NULL;
 	}