Merge "TDLS: Fix possible memory poisoning while processing tdls commands"
diff --git a/CORE/SME/src/csr/csrTdlsProcess.c b/CORE/SME/src/csr/csrTdlsProcess.c
index 9b33416..0bf09ef 100644
--- a/CORE/SME/src/csr/csrTdlsProcess.c
+++ b/CORE/SME/src/csr/csrTdlsProcess.c
@@ -119,6 +119,8 @@
tTdlsSendMgmtCmdInfo *tdlsSendMgmtCmdInfo =
&tdlsSendMgmtCmd->u.tdlsCmd.u.tdlsSendMgmtCmdInfo ;
+ vos_mem_zero(&tdlsSendMgmtCmd->u.tdlsCmd, sizeof(tTdlsCmd));
+
tdlsSendMgmtCmd->sessionId = sessionId;
tdlsSendMgmtCmdInfo->frameType = tdlsSendMgmt->frameType ;
@@ -187,6 +189,8 @@
tTdlsAddStaCmdInfo *tdlsAddStaCmdInfo =
&tdlsAddStaCmd->u.tdlsCmd.u.tdlsAddStaCmdInfo ;
+ vos_mem_zero(&tdlsAddStaCmd->u.tdlsCmd, sizeof(tTdlsCmd));
+
tdlsAddStaCmdInfo->tdlsAddOper = TDLS_OPER_UPDATE;
tdlsAddStaCmd->sessionId = sessionId;
@@ -253,6 +257,8 @@
tTdlsLinkEstablishCmdInfo *tdlsLinkEstablishCmdInfo =
&tdlsLinkEstablishCmd->u.tdlsCmd.u.tdlsLinkEstablishCmdInfo ;
+ vos_mem_zero(&tdlsLinkEstablishCmd->u.tdlsCmd, sizeof(tTdlsCmd));
+
tdlsLinkEstablishCmd->sessionId = sessionId;
vos_mem_copy( tdlsLinkEstablishCmdInfo->peerMac,
@@ -309,6 +315,8 @@
tTdlsAddStaCmdInfo *tdlsAddStaCmdInfo =
&tdlsAddStaCmd->u.tdlsCmd.u.tdlsAddStaCmdInfo ;
+ vos_mem_zero(&tdlsAddStaCmd->u.tdlsCmd, sizeof(tTdlsCmd));
+
tdlsAddStaCmd->sessionId = sessionId;
tdlsAddStaCmdInfo->tdlsAddOper = TDLS_OPER_ADD;
@@ -346,6 +354,8 @@
tTdlsDelStaCmdInfo *tdlsDelStaCmdInfo =
&tdlsDelStaCmd->u.tdlsCmd.u.tdlsDelStaCmdInfo ;
+ vos_mem_zero(&tdlsDelStaCmd->u.tdlsCmd, sizeof(tTdlsCmd));
+
tdlsDelStaCmd->sessionId = sessionId;
vos_mem_copy(tdlsDelStaCmdInfo->peerMac,
@@ -388,6 +398,8 @@
tTdlsChanSwitchCmdInfo *tdlsChanSwitchCmdInfo =
&tdlsChanSwitchCmd->u.tdlsCmd.u.tdlsChanSwitchCmdInfo;
+ vos_mem_zero(&tdlsChanSwitchCmd->u.tdlsCmd, sizeof(tTdlsCmd));
+
tdlsChanSwitchCmd->sessionId = sessionId;
vos_mem_copy(tdlsChanSwitchCmdInfo->peerMac,
@@ -427,6 +439,8 @@
tTdlsDisReqCmdinfo *disReqCmdInfo =
&tdlsDisReqCmd->u.tdlsCmd.u.tdlsDisReqCmdInfo ;
+ vos_mem_zero(&tdlsDisReqCmd->u.tdlsCmd, sizeof(tTdlsCmd));
+
tdlsDisReqCmd->sessionId = sessionId;
disReqCmdInfo->tdlsDisType = tdlsDisReq->disType ;
@@ -461,6 +475,8 @@
tTdlsLinkSetupReqCmdinfo *setupCmdInfo =
&tdlsSetupReqCmd->u.tdlsCmd.u.tdlsLinkSetupReqCmdInfo ;
+ vos_mem_zero(&tdlsSetupReqCmd->u.tdlsCmd, sizeof(tTdlsCmd));
+
tdlsSetupReqCmd->sessionId = sessionId;
vos_mem_copy(setupCmdInfo->peerMac,
@@ -494,6 +510,8 @@
tTdlsLinkTeardownCmdinfo *teardownCmdInfo =
&tdlsTeardownReqCmd->u.tdlsCmd.u.tdlsLinkTeardownCmdInfo ;
+ vos_mem_zero(&tdlsTeardownReqCmd->u.tdlsCmd, sizeof(tTdlsCmd));
+
tdlsTeardownReqCmd->sessionId = sessionId;
vos_mem_copy(teardownCmdInfo->peerMac,
@@ -636,6 +654,8 @@
VOS_ASSERT(0) ;
return status ;
}
+ vos_mem_set(tdlsAddStaReq, sizeof(tSirTdlsAddStaReq), 0);
+
tdlsAddStaReq->sessionId = cmd->sessionId;
tdlsAddStaReq->tdlsAddOper = tdlsAddStaCmdInfo->tdlsAddOper;
//Using dialog as transactionId. This can be used to match response with request