qcacmn: Fix potential double free in send_log_supported_evt_cmd_tlv

In send_log_supported_evt_cmd_tlv, events_logs_list in wma handle is freed if previously allocated. If the num_of_diag_events_logs exceeds the max size, we exit from the function early without allocating memory for events_logs_list. This can result in potential double free scenario if we receive another DIAG_EVENT_LOG_SUPPORTED event from firmware. Fix is to set events_logs_list pointer to NULL after freeing memory. Change-Id: I9d6148dfc064d87e2947d1b5ec4492c08913dd4c CRs-Fixed: 2433802
author: Yeshwanth Sriram Guntuka <ysriramg@codeaurora.org> 2019-05-08 15:16:07 +0530
committer: Yeshwanth Sriram Guntuka <ysriramg@codeaurora.org> 2019-05-08 15:16:07 +0530
commit: f9d4e6edce0fbdd2d904742ec23a4b0fbb1ebe9a (patch)
tree: f68504af4407f6e571d1596894b8a0abf75f2d29
parent: 382e54f122beaf93fd990d974bb77774c34acb3c (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/wmi/src/wmi_unified_tlv.c b/wmi/src/wmi_unified_tlv.c
index ac85fe11b9d8..953628eb479b 100644
--- a/wmi/src/wmi_unified_tlv.c
+++ b/wmi/src/wmi_unified_tlv.c
@@ -10895,8 +10895,10 @@ QDF_STATUS send_log_supported_evt_cmd_tlv(wmi_unified_t wmi_handle,
 			__func__, num_of_diag_events_logs);
 
 	/* Free any previous allocation */
-	if (wmi_handle->events_logs_list)
+	if (wmi_handle->events_logs_list) {
 		qdf_mem_free(wmi_handle->events_logs_list);
+		wmi_handle->events_logs_list = NULL;
+	}
 
 	if (num_of_diag_events_logs >
 		(WMI_SVC_MSG_MAX_SIZE / sizeof(uint32_t))) {
author	Yeshwanth Sriram Guntuka <ysriramg@codeaurora.org>	2019-05-08 15:16:07 +0530
committer	Yeshwanth Sriram Guntuka <ysriramg@codeaurora.org>	2019-05-08 15:16:07 +0530
commit	f9d4e6edce0fbdd2d904742ec23a4b0fbb1ebe9a (patch)
tree	f68504af4407f6e571d1596894b8a0abf75f2d29
parent	382e54f122beaf93fd990d974bb77774c34acb3c (diff)