diff options
| author | Anjaneedevi Kapparapu <akappa@codeaurora.org> | 2015-02-18 21:46:13 +0530 |
|---|---|---|
| committer | Anjaneedevi Kapparapu <akappa@codeaurora.org> | 2015-02-18 21:48:35 +0530 |
| commit | d8e376eabe32519efe4ec6bc697c8d4855f189b0 (patch) | |
| tree | d98d66af3ba53f9047ac5283b5dcc5cbf75018f0 | |
| parent | b9b89d52218caaf0dfa4fe6b15a24840b0f20926 (diff) | |
| parent | 37990d148fb41fd1dabcd05f142d7c8c267d8cf3 (diff) | |
Release 4.0.10.37 QCACLD WLAN Driver
Merge remote-tracking branch 'origin/caf/caf-wlan/master' into HEAD
* origin/caf/caf-wlan/master:
Cafstaging Release 4.0.10.37
qcacld2.0: HDD: Fix for issues reported by Static Analysis
qcacld: Add a sanity check for NULL dereference and array out of bounds
Change-Id: I015e5b269d9961fcf39a6d2d8e624b5cba345145
| -rw-r--r-- | CORE/HDD/src/wlan_hdd_ftm.c | 4 | ||||
| -rwxr-xr-x | CORE/HDD/src/wlan_hdd_main.c | 11 | ||||
| -rw-r--r-- | CORE/MAC/inc/qwlan_version.h | 4 | ||||
| -rw-r--r-- | CORE/MAC/src/pe/lim/limProcessMlmRspMessages.c | 3 | ||||
| -rw-r--r-- | CORE/SAP/src/sapFsm.c | 9 |
5 files changed, 19 insertions, 12 deletions
diff --git a/CORE/HDD/src/wlan_hdd_ftm.c b/CORE/HDD/src/wlan_hdd_ftm.c index 71ab148e354f..d0762a8f93ae 100644 --- a/CORE/HDD/src/wlan_hdd_ftm.c +++ b/CORE/HDD/src/wlan_hdd_ftm.c @@ -841,10 +841,6 @@ int wlan_hdd_ftm_close(hdd_context_t *pHddCtx) VOS_ASSERT( VOS_IS_STATUS_SUCCESS( vosStatus ) ); } - //Free up dynamically allocated members inside HDD Adapter - kfree(pHddCtx->cfg_ini); - pHddCtx->cfg_ini= NULL; - #if defined(QCA_WIFI_FTM) && defined(LINUX_QCMBR) spin_lock_bh(&qcmbr_queue_lock); if (!list_empty(&qcmbr_queue_head)) { diff --git a/CORE/HDD/src/wlan_hdd_main.c b/CORE/HDD/src/wlan_hdd_main.c index 0a0e72c397da..50f678431f86 100755 --- a/CORE/HDD/src/wlan_hdd_main.c +++ b/CORE/HDD/src/wlan_hdd_main.c @@ -11717,10 +11717,6 @@ void hdd_wlan_exit(hdd_context_t *pHddCtx) #ifdef IPA_OFFLOAD hdd_ipa_cleanup(pHddCtx); #endif - //Free up dynamically allocated members inside HDD Adapter - kfree(pHddCtx->cfg_ini); - pHddCtx->cfg_ini= NULL; - /* free the power on lock from platform driver */ if (free_riva_power_on_lock("wlan")) @@ -11734,6 +11730,13 @@ void hdd_wlan_exit(hdd_context_t *pHddCtx) hdd_list_destroy(&pHddCtx->hdd_roc_req_q); free_hdd_ctx: + + /* Free up dynamically allocated members inside HDD Adapter */ + if (pHddCtx->cfg_ini) { + kfree(pHddCtx->cfg_ini); + pHddCtx->cfg_ini= NULL; + } + /* FTM mode, WIPHY did not registered If un-register here, system crash will happen */ if (VOS_FTM_MODE != hdd_get_conparam()) diff --git a/CORE/MAC/inc/qwlan_version.h b/CORE/MAC/inc/qwlan_version.h index 75800c64ce2b..89363e82a16a 100644 --- a/CORE/MAC/inc/qwlan_version.h +++ b/CORE/MAC/inc/qwlan_version.h @@ -42,9 +42,9 @@ BRIEF DESCRIPTION: #define QWLAN_VERSION_MINOR 0 #define QWLAN_VERSION_PATCH 10 #define QWLAN_VERSION_EXTRA "" -#define QWLAN_VERSION_BUILD 36 +#define QWLAN_VERSION_BUILD 37 -#define QWLAN_VERSIONSTR "4.0.10.36" +#define QWLAN_VERSIONSTR "4.0.10.37" #define AR6320_REV1_VERSION 0x5000000 diff --git a/CORE/MAC/src/pe/lim/limProcessMlmRspMessages.c b/CORE/MAC/src/pe/lim/limProcessMlmRspMessages.c index 640a388657a3..cafbe3c9bc74 100644 --- a/CORE/MAC/src/pe/lim/limProcessMlmRspMessages.c +++ b/CORE/MAC/src/pe/lim/limProcessMlmRspMessages.c @@ -417,7 +417,8 @@ limProcessMlmStartCnf(tpAniSirGlobal pMac, tANI_U32 *pMsgBuf) limSendSmeStartBssRsp(pMac, eWNI_SME_START_BSS_RSP, ((tLimMlmStartCnf *) pMsgBuf)->resultCode,psessionEntry, smesessionId,smetransactionId); - if (((tLimMlmStartCnf *) pMsgBuf)->resultCode == eSIR_SME_SUCCESS) + if ((psessionEntry != NULL) && + (((tLimMlmStartCnf *) pMsgBuf)->resultCode == eSIR_SME_SUCCESS)) { channelId = psessionEntry->pLimStartBssReq->channelId; diff --git a/CORE/SAP/src/sapFsm.c b/CORE/SAP/src/sapFsm.c index ba176574f5eb..9b17a4439bd6 100644 --- a/CORE/SAP/src/sapFsm.c +++ b/CORE/SAP/src/sapFsm.c @@ -4136,7 +4136,14 @@ sapRemoveMacFromACL(v_MACADDR_t *macList, v_U8_t *size, v_U8_t index) /* return if the list passed is empty. Ideally this should never happen since this funcn is always called after sapSearchMacList to get the index of the mac addr to be removed and this will only get called if the search is successful. Still no harm in having the check */ - if (macList==NULL) return; + if ((NULL == macList) || (*size == 0) || (*size > MAX_ACL_MAC_ADDRESS)) + { + VOS_TRACE( VOS_MODULE_ID_SAP, VOS_TRACE_LEVEL_INFO_HIGH, + "In %s, either buffer is NULL or size %d is incorrect.", + __func__, *size); + return; + } + for (i=index; i<((*size)-1); i++) { /* Move mac addresses starting from "index" passed one index up to delete the void |