From 18370faaee9d7be49b6cc90ccdec6840be3ce063 Mon Sep 17 00:00:00 2001 From: Pragaspathi Thilagaraj Date: Tue, 9 Oct 2018 17:30:13 +0530 Subject: qcacld-3.0: Fix possible double free in lim_handle_delete_bss_rsp When disconnect is issued from userspace, lim_del_bss is invoked and vdev stop is sent to firmware. If sending vdev stop fails, WMA_DELETE_BSS_RSP is posted with failure. If an SSR is happening during this time, then cds_mc_thread is preempted, and as part of the pld uevent vdev resp queue cleanup is done . In this path, lim_process_sta_mlm_del_bss_rsp is called and msg->bodyptr is freed and pe session is deleted. After pld uevent execution, the delete bss response processing in cds_mc_thread as part of user space disconnect resumes and tries to free the msg->bodyptr again. This results in double free. Add check to validate if msg->bodyptr is NULL before freeing the memory. Change-Id: I491e5bab640aca6546b58755502dd00aa1bc6083 CRs-Fixed: 2324482 --- core/mac/src/pe/lim/lim_send_sme_rsp_messages.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/core/mac/src/pe/lim/lim_send_sme_rsp_messages.c b/core/mac/src/pe/lim/lim_send_sme_rsp_messages.c index d884e66494c3..fbba7473c912 100644 --- a/core/mac/src/pe/lim/lim_send_sme_rsp_messages.c +++ b/core/mac/src/pe/lim/lim_send_sme_rsp_messages.c @@ -2395,7 +2395,10 @@ void lim_handle_delete_bss_rsp(tpAniSirGlobal pMac, tpSirMsgQ MsgQ) if (psessionEntry == NULL) { pe_err("Session Does not exist for given sessionID: %d", pDelBss->sessionId); - qdf_mem_free(MsgQ->bodyptr); + if (MsgQ->bodyptr) { + qdf_mem_free(MsgQ->bodyptr); + MsgQ->bodyptr = NULL; + } return; } -- cgit v1.2.3