diff options
| author | Krishna Kumaar Natarajan <kknatara@qca.qualcomm.com> | 2016-04-19 14:40:29 -0700 |
|---|---|---|
| committer | Anjaneedevi Kapparapu <akappa@codeaurora.org> | 2016-08-17 16:05:43 +0530 |
| commit | b9ac8e567c7c24cc6d1ad437e90b47546882c876 (patch) | |
| tree | aa63435d8e1137d2b66d577eee47321864bf4087 | |
| parent | 692b41c5a8d7bbacadfaf1190447badb64168cfe (diff) | |
qcacld-2.0: Fix memory leak in oem related messages
Fix memory leak in oem related messages. While oem data request/
response is passed through multiple layers, memory was not freed
correctly in some layer. This change set will fix the memory leak
related issues.
Change-Id: Ib92640c478e4ddef5cd67b292da2c8cacf70fdfd
CRs-Fixed: 1005630
| -rw-r--r-- | CORE/MAC/src/pe/lim/limProcessMlmReqMessages.c | 6 | ||||
| -rw-r--r-- | CORE/MAC/src/pe/lim/limProcessSmeReqMessages.c | 2 | ||||
| -rw-r--r-- | CORE/SERVICES/WMA/wma.c | 89 | ||||
| -rw-r--r-- | CORE/SME/src/oemData/oemDataApi.c | 5 |
4 files changed, 38 insertions, 64 deletions
diff --git a/CORE/MAC/src/pe/lim/limProcessMlmReqMessages.c b/CORE/MAC/src/pe/lim/limProcessMlmReqMessages.c index 519fe8c50f3b..351e0e86e04d 100644 --- a/CORE/MAC/src/pe/lim/limProcessMlmReqMessages.c +++ b/CORE/MAC/src/pe/lim/limProcessMlmReqMessages.c @@ -1962,8 +1962,10 @@ static void limProcessMlmOemDataReq(tpAniSirGlobal pMac, tANI_U32 *pMsgBuf) limPrintMlmState(pMac, LOGW, pMac->lim.gLimMlmState); - /// Free up buffer allocated - vos_mem_free(pMsgBuf); + /* Free up incoming buffer */ + if (data_req->data) + vos_mem_free(data_req->data); + vos_mem_free(data_req); /// Return Meas confirm with INVALID_PARAMETERS pMlmOemDataRsp = vos_mem_malloc(sizeof(tLimMlmOemDataRsp)); diff --git a/CORE/MAC/src/pe/lim/limProcessSmeReqMessages.c b/CORE/MAC/src/pe/lim/limProcessSmeReqMessages.c index 9d6f7f4f2330..1197d319f1b4 100644 --- a/CORE/MAC/src/pe/lim/limProcessSmeReqMessages.c +++ b/CORE/MAC/src/pe/lim/limProcessSmeReqMessages.c @@ -1786,6 +1786,8 @@ static void __limProcessSmeOemDataReq(tpAniSirGlobal pMac, tANI_U32 *pMsgBuf) if (!pMlmOemDataReq->data) { limLog(pMac, LOGP, FL("memory allocation failed")); vos_mem_free(pMlmOemDataReq); + /* buffer from SME copied, free it now */ + vos_mem_free(pOemDataReq->data); return; } diff --git a/CORE/SERVICES/WMA/wma.c b/CORE/SERVICES/WMA/wma.c index 5a703c33badc..c3edf99220ab 100644 --- a/CORE/SERVICES/WMA/wma.c +++ b/CORE/SERVICES/WMA/wma.c @@ -5662,10 +5662,9 @@ static int wma_oem_capability_event_callback(void *handle, * of data received from target should be 4 bytes less * then max allowed */ - if (datalen > (OEM_DATA_RSP_SIZE - OEM_MESSAGE_SUBTYPE_LEN)) { - WMA_LOGE("%s: Received data len (%d) exceeds max value (%d)", - __func__, datalen, - (OEM_DATA_RSP_SIZE - OEM_MESSAGE_SUBTYPE_LEN)); + if (datalen <= 0 || + datalen > (OEM_DATA_RSP_SIZE - OEM_MESSAGE_SUBTYPE_LEN)) { + WMA_LOGE(FL("Invalid data length: %d"), datalen); return -EINVAL; } @@ -5676,19 +5675,12 @@ static int wma_oem_capability_event_callback(void *handle, } pStartOemDataRsp->rsp_len = datalen + OEM_MESSAGE_SUBTYPE_LEN; - if (pStartOemDataRsp->rsp_len) { - pStartOemDataRsp->oem_data_rsp = - vos_mem_malloc(pStartOemDataRsp->rsp_len); - if (!pStartOemDataRsp->oem_data_rsp) { - WMA_LOGE(FL("malloc failed for data")); - vos_mem_free(pStartOemDataRsp); - return -ENOMEM; - } - } else { - WMA_LOGE(FL("Invalid rsp length: %d"), - pStartOemDataRsp->rsp_len); + pStartOemDataRsp->oem_data_rsp = + vos_mem_malloc(pStartOemDataRsp->rsp_len); + if (!pStartOemDataRsp->oem_data_rsp) { + WMA_LOGE(FL("malloc failed for data")); vos_mem_free(pStartOemDataRsp); - return -EINVAL; + return -ENOMEM; } pStartOemDataRsp->target_rsp = true; @@ -5734,10 +5726,9 @@ static int wma_oem_measurement_report_event_callback(void *handle, * of data received from target should be 4 bytes less * then max allowed */ - if (datalen > (OEM_DATA_RSP_SIZE - OEM_MESSAGE_SUBTYPE_LEN)) { - WMA_LOGE("%s: Received data len (%d) exceeds max value (%d)", - __func__, datalen, - (OEM_DATA_RSP_SIZE - OEM_MESSAGE_SUBTYPE_LEN)); + if (datalen <= 0 || + datalen > (OEM_DATA_RSP_SIZE - OEM_MESSAGE_SUBTYPE_LEN)) { + WMA_LOGE(FL("Invalid data length: %d"), datalen); return -EINVAL; } @@ -5748,19 +5739,12 @@ static int wma_oem_measurement_report_event_callback(void *handle, } pStartOemDataRsp->rsp_len = datalen + OEM_MESSAGE_SUBTYPE_LEN; - if (pStartOemDataRsp->rsp_len) { - pStartOemDataRsp->oem_data_rsp = + pStartOemDataRsp->oem_data_rsp = vos_mem_malloc(pStartOemDataRsp->rsp_len); - if (!pStartOemDataRsp->oem_data_rsp) { - WMA_LOGE(FL("malloc failed for data")); - vos_mem_free(pStartOemDataRsp); - return -ENOMEM; - } - } else { - WMA_LOGE(FL("Invalid rsp length: %d"), - pStartOemDataRsp->rsp_len); + if (!pStartOemDataRsp->oem_data_rsp) { + WMA_LOGE(FL("malloc failed for data")); vos_mem_free(pStartOemDataRsp); - return -EINVAL; + return -ENOMEM; } pStartOemDataRsp->target_rsp = true; @@ -5806,10 +5790,9 @@ static int wma_oem_error_report_event_callback(void *handle, * of data received from target should be 4 bytes less * then max allowed */ - if (datalen > (OEM_DATA_RSP_SIZE - OEM_MESSAGE_SUBTYPE_LEN)) { - WMA_LOGE("%s: Received data len (%d) exceeds max value (%d)", - __func__, datalen, - (OEM_DATA_RSP_SIZE - OEM_MESSAGE_SUBTYPE_LEN)); + if (datalen <= 0 || + datalen > (OEM_DATA_RSP_SIZE - OEM_MESSAGE_SUBTYPE_LEN)) { + WMA_LOGE(FL("Invalid data length: %d"), datalen); return -EINVAL; } @@ -5820,19 +5803,12 @@ static int wma_oem_error_report_event_callback(void *handle, } pStartOemDataRsp->rsp_len = datalen + OEM_MESSAGE_SUBTYPE_LEN; - if (pStartOemDataRsp->rsp_len) { - pStartOemDataRsp->oem_data_rsp = - vos_mem_malloc(pStartOemDataRsp->rsp_len); - if (!pStartOemDataRsp->oem_data_rsp) { - WMA_LOGE(FL("malloc failed for data")); - vos_mem_free(pStartOemDataRsp); - return -ENOMEM; - } - } else { - WMA_LOGE(FL("Invalid rsp length: %d"), - pStartOemDataRsp->rsp_len); + pStartOemDataRsp->oem_data_rsp = + vos_mem_malloc(pStartOemDataRsp->rsp_len); + if (!pStartOemDataRsp->oem_data_rsp) { + WMA_LOGE(FL("malloc failed for data")); vos_mem_free(pStartOemDataRsp); - return -EINVAL; + return -ENOMEM; } pStartOemDataRsp->target_rsp = true; @@ -5881,9 +5857,8 @@ static int wma_oem_data_response_handler(void *handle, return -EINVAL; } - if (datalen > OEM_DATA_RSP_SIZE) { - WMA_LOGE(FL("Received data len %d exceeds max value %d"), - datalen, OEM_DATA_RSP_SIZE); + if (datalen <= 0 || datalen > OEM_DATA_RSP_SIZE) { + WMA_LOGE(FL("Invalid data length: %d"), datalen); return -EINVAL; } @@ -5894,17 +5869,11 @@ static int wma_oem_data_response_handler(void *handle, } oem_rsp->rsp_len = datalen; - if (oem_rsp->rsp_len) { - oem_rsp->oem_data_rsp = vos_mem_malloc(oem_rsp->rsp_len); - if (!oem_rsp->rsp_len) { - WMA_LOGE(FL("malloc failed for data")); - vos_mem_free(oem_rsp); - return -ENOMEM; - } - } else { - WMA_LOGE(FL("Invalid rsp length: %d"), oem_rsp->rsp_len); + oem_rsp->oem_data_rsp = vos_mem_malloc(oem_rsp->rsp_len); + if (!oem_rsp->rsp_len) { + WMA_LOGE(FL("malloc failed for data")); vos_mem_free(oem_rsp); - return -EINVAL; + return -ENOMEM; } oem_rsp->target_rsp = true; diff --git a/CORE/SME/src/oemData/oemDataApi.c b/CORE/SME/src/oemData/oemDataApi.c index 9b5e56cc3787..3e42350e80fc 100644 --- a/CORE/SME/src/oemData/oemDataApi.c +++ b/CORE/SME/src/oemData/oemDataApi.c @@ -324,10 +324,10 @@ eHalStatus sme_HandleOemDataRsp(tHalHandle hHal, tANI_U8* pMsg) if (csrLLRemoveEntry(&pMac->sme.smeCmdActiveList, &pCommand->Link, LL_ACCESS_LOCK)) { - vos_mem_set(&(pCommand->u.oemDataCmd), - sizeof(tOemDataCmd), 0); req = &(pCommand->u.oemDataCmd.oemDataReq); vos_mem_free(req->data); + vos_mem_set(&(pCommand->u.oemDataCmd), + sizeof(tOemDataCmd), 0); smeReleaseCommand(pMac, pCommand); } } @@ -342,6 +342,7 @@ eHalStatus sme_HandleOemDataRsp(tHalHandle hHal, tANI_U8* pMsg) pOemDataRsp->oem_data_rsp); /* free this memory only if rsp is from target */ vos_mem_free(pOemDataRsp->oem_data_rsp); + pOemDataRsp->oem_data_rsp = NULL; } else { smsLog(pMac, LOG1, FL("received internal oem data resp")); } |