samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacmn: Fix potential double free in send_log_supported_evt_cmd_tlv

Browse Source 
In send_log_supported_evt_cmd_tlv, events_logs_list in
wma handle is freed if previously allocated. If the
num_of_diag_events_logs exceeds the max size, we exit
from the function early without allocating memory for
events_logs_list. This can result in potential double
free scenario if we receive another DIAG_EVENT_LOG_SUPPORTED
event from firmware.

Fix is to set events_logs_list pointer to NULL after
freeing memory.

Change-Id: I9d6148dfc064d87e2947d1b5ec4492c08913dd4c
CRs-Fixed: 2433802
This commit is contained in:
Yeshwanth Sriram Guntuka
2019-04-12 16:09:25 +05:30
committed by nshrivas
parent 2864718af8
commit c630c47341
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
wmi/src/wmi_unified_tlv.c
View File

@@ -6486,8 +6486,10 @@ static QDF_STATUS send_log_supported_evt_cmd_tlv(wmi_unified_t wmi_handle,
__func__, num_of_diag_events_logs);
/* Free any previous allocation */
if (wmi_handle->events_logs_list)
if (wmi_handle->events_logs_list) {
qdf_mem_free(wmi_handle->events_logs_list);
wmi_handle->events_logs_list = NULL;
}
if (num_of_diag_events_logs >
(WMI_SVC_MSG_MAX_SIZE / sizeof(uint32_t))) {