diff options
| author | Krishna Kumaar Natarajan <kknatara@qca.qualcomm.com> | 2016-04-15 14:30:01 -0700 |
|---|---|---|
| committer | Anjaneedevi Kapparapu <akappa@codeaurora.org> | 2016-04-18 12:41:35 +0530 |
| commit | 17c90de64d6689543048ee3ca8e77d87ac5ed290 (patch) | |
| tree | 5d3583faf218c909766f6b5a4acdcdee4c598c6a | |
| parent | c7446aa81cd04222b66b663e3859477d6a918126 (diff) | |
qcacld-2.0: Fix incorrect freeing of memory for internal oem response
Fix incorrect freeing of memory for internally generated oem data
response. For internal oem data response, response length will be
zero and oem_data_rsp will not be allocated any memory. Add a check
to not free that memory for internal data response and also assign
that pointer to NULL in the sender.
Change-Id: Ib046bde1652120fc3a9859d567fb2b98b80cff0b
CRs-Fixed: 1004248
| -rw-r--r-- | CORE/MAC/src/pe/lim/limProcessMlmReqMessages.c | 8 | ||||
| -rw-r--r-- | CORE/MAC/src/pe/lim/limSendSmeRspMessages.c | 12 | ||||
| -rw-r--r-- | CORE/SERVICES/WMA/wma.c | 1 | ||||
| -rw-r--r-- | CORE/SME/src/oemData/oemDataApi.c | 3 |
4 files changed, 17 insertions, 7 deletions
diff --git a/CORE/MAC/src/pe/lim/limProcessMlmReqMessages.c b/CORE/MAC/src/pe/lim/limProcessMlmReqMessages.c index 3a4667db662f..86879546308d 100644 --- a/CORE/MAC/src/pe/lim/limProcessMlmReqMessages.c +++ b/CORE/MAC/src/pe/lim/limProcessMlmReqMessages.c @@ -1407,7 +1407,9 @@ error: return; } + vos_mem_zero(pMlmOemDataRsp, sizeof(*pMlmOemDataRsp)); pMlmOemDataRsp->target_rsp = false; + pMlmOemDataRsp->oem_data_rsp = NULL; if(NULL != pMac->lim.gpLimMlmOemDataReq) { @@ -2041,11 +2043,11 @@ static void limProcessMlmOemDataReq(tpAniSirGlobal pMac, tANI_U32 *pMsgBuf) /// Return Meas confirm with INVALID_PARAMETERS pMlmOemDataRsp = vos_mem_malloc(sizeof(tLimMlmOemDataRsp)); - if ( pMlmOemDataRsp != NULL) - { + if (pMlmOemDataRsp != NULL) { + vos_mem_zero(pMlmOemDataRsp, sizeof(*pMlmOemDataRsp)); pMlmOemDataRsp->target_rsp = false; + pMlmOemDataRsp->oem_data_rsp = NULL; limPostSmeMessage(pMac, LIM_MLM_OEM_DATA_CNF, (tANI_U32*)pMlmOemDataRsp); - vos_mem_free(pMlmOemDataRsp); } else { diff --git a/CORE/MAC/src/pe/lim/limSendSmeRspMessages.c b/CORE/MAC/src/pe/lim/limSendSmeRspMessages.c index 9970b0e0cf34..3bccdb5371f2 100644 --- a/CORE/MAC/src/pe/lim/limSendSmeRspMessages.c +++ b/CORE/MAC/src/pe/lim/limSendSmeRspMessages.c @@ -1441,9 +1441,15 @@ void limSendSmeOemDataRsp(tpAniSirGlobal pMac, tANI_U32* pMsgBuf, tSirResultCode pMlmOemDataRsp->oem_data_rsp, pSirSmeOemDataRsp->rsp_len); - //Now free the memory from MLM Rsp Message - vos_mem_free(pMlmOemDataRsp->oem_data_rsp); - pMlmOemDataRsp->oem_data_rsp = NULL; + /* + * Now free the memory from MLM Rsp Message + * + * Free oem_data_rsp only if rsp is from target + */ + if (pMlmOemDataRsp->target_rsp && pMlmOemDataRsp->oem_data_rsp) { + vos_mem_free(pMlmOemDataRsp->oem_data_rsp); + pMlmOemDataRsp->oem_data_rsp = NULL; + } vos_mem_free(pMlmOemDataRsp); pMlmOemDataRsp = NULL; diff --git a/CORE/SERVICES/WMA/wma.c b/CORE/SERVICES/WMA/wma.c index 98d21ea9466b..c1424509b6ac 100644 --- a/CORE/SERVICES/WMA/wma.c +++ b/CORE/SERVICES/WMA/wma.c @@ -23130,6 +23130,7 @@ out: } vos_mem_zero(pStartOemDataRsp, sizeof(tStartOemDataRsp)); pStartOemDataRsp->target_rsp = false; + pStartOemDataRsp->oem_data_rsp = NULL; WMA_LOGI("%s: Sending WDA_START_OEM_DATA_RSP to clear up PE/SME pending cmd", __func__); diff --git a/CORE/SME/src/oemData/oemDataApi.c b/CORE/SME/src/oemData/oemDataApi.c index 1f757e867d34..9b5e56cc3787 100644 --- a/CORE/SME/src/oemData/oemDataApi.c +++ b/CORE/SME/src/oemData/oemDataApi.c @@ -340,10 +340,11 @@ eHalStatus sme_HandleOemDataRsp(tHalHandle hHal, tANI_U8* pMsg) smsLog(pMac, LOG1, FL("received target oem data resp")); send_oem_data_rsp_msg(pOemDataRsp->rsp_len, pOemDataRsp->oem_data_rsp); + /* free this memory only if rsp is from target */ + vos_mem_free(pOemDataRsp->oem_data_rsp); } else { smsLog(pMac, LOG1, FL("received internal oem data resp")); } - vos_mem_free(pOemDataRsp->oem_data_rsp); } while(0); return status; |