wlan: LFR - invalid channel in INI causes double free.
The crash is happening because of a double free in csrScanCopyRequest.
In csrScanCopyRequest, palCopyMemory is called which copies contents of
tCsrScanRequest from pSrcReq to pDstReq. This will include the address
of pointers as well (i.e. pIEField, ChannelList and SSIDList). Due to a
recent commit in CL663677, we ignore the scan request if the channel is
invalid to prevent spawning scans on ALL valid channels. When the scan
request is ignored, csrScanFreeRequest gets called for both pDstReq
(first) as well as pSrcReq. When we decide to ignore the scan request
due to invalid channel, SSIDList in pDstReq will point to the address
that was copied from pSrcReq. Due to this, we end up double freeing the
memory at address pSrcReq->SSIDs.SSIDList.
This is being addressed by re-initializing all the pointer variables in
pDstReq after the palCopyMemory.
When the scan request is ignored due to an invalid channel, there
will not be a scan callback because the request command was never
sent to PE. Due to this the roaming engine gets stuck and remains in
eCSR_NEIGHBOR_ROAM_STATE_CFG_CHAN_LIST_SCAN. This is being fixed by
calling csrNeighborRoamScanRequestCallback if the scan request
fails to unblock the roaming state machine.
Change-Id: I68f79e1a7cb640140968012fc646cf1bd0268a6b
CR-Fixed: 434971
2 files changed