wlan: Fix memory leak and NULL pointer dereference issues
Few functions doesn't free the allocated memory during failure cases
and dereference the pointer before NULL check.
This includes fix to free the allocated memory during failure cases,
add NULL check before deferencing the pointer and
memory layering violation in SME.
Change-Id: Ia4717c29788612a9b0c6e0286e6d70cefcc81df7
CRs-Fixed: 996173
diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
index b41784a..c5a3a04 100644
--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
@@ -6400,12 +6400,12 @@
if (control == QCA_WLAN_RSSI_MONITORING_START) {
if (!tb[PARAM_MIN_RSSI]) {
hddLog(LOGE, FL("attr min rssi failed"));
- return -EINVAL;
+ goto fail;
}
if (!tb[PARAM_MAX_RSSI]) {
hddLog(LOGE, FL("attr max rssi failed"));
- return -EINVAL;
+ goto fail;
}
pReq->minRssi = nla_get_s8(tb[PARAM_MIN_RSSI]);
@@ -6415,7 +6415,7 @@
if (!(pReq->minRssi < pReq->maxRssi)) {
hddLog(LOGW, FL("min_rssi: %d must be less than max_rssi: %d"),
pReq->minRssi, pReq->maxRssi);
- return -EINVAL;
+ goto fail;
}
hddLog(LOG1, FL("Min_rssi: %d Max_rssi: %d"),
pReq->minRssi, pReq->maxRssi);
@@ -6428,16 +6428,19 @@
}
else {
hddLog(LOGE, FL("Invalid control cmd: %d"), control);
- return -EINVAL;
+ goto fail;
}
if (!HAL_STATUS_SUCCESS(status)) {
hddLog(LOGE,
FL("sme_set_rssi_monitoring failed(err=%d)"), status);
- return -EINVAL;
+ goto fail;
}
return 0;
+fail:
+ vos_mem_free(pReq);
+ return -EINVAL;
}
/*
@@ -6751,7 +6754,7 @@
if (request_id == 0)
{
hddLog(LOGE, FL("request_id cannot be zero"));
- return -EINVAL;
+ goto fail;
}
if (!tb[PARAM_PERIOD])
diff --git a/CORE/HDD/src/wlan_hdd_main.c b/CORE/HDD/src/wlan_hdd_main.c
index 9a8424a..1c81bd0 100644
--- a/CORE/HDD/src/wlan_hdd_main.c
+++ b/CORE/HDD/src/wlan_hdd_main.c
@@ -11081,7 +11081,7 @@
void hdd_init_frame_logging(hdd_context_t* pHddCtx)
{
eHalStatus halStatus = eHAL_STATUS_FAILURE;
- tpSirFWLoggingInitParam wlanFWLoggingInitParam;
+ tSirFWLoggingInitParam wlanFWLoggingInitParam = {0};
if (TRUE != sme_IsFeatureSupportedByFW(MGMT_FRAME_LOGGING) &&
TRUE != sme_IsFeatureSupportedByFW(LOGGING_ENHANCEMENT))
@@ -11090,15 +11090,6 @@
return;
}
- wlanFWLoggingInitParam = vos_mem_malloc(sizeof(tSirFWLoggingInitParam));
- if(NULL == wlanFWLoggingInitParam)
- {
- hddLog(VOS_TRACE_LEVEL_FATAL, "%s: vos_mem_alloc failed ", __func__);
- return;
- }
-
- vos_mem_set(wlanFWLoggingInitParam, sizeof(tSirFWLoggingInitParam), 0);
-
hddLog(VOS_TRACE_LEVEL_INFO, "%s: Configuring %s %s %s %s Logging",__func__,
pHddCtx->cfg_ini->enableFWLogging?"FW Log,":"",
pHddCtx->cfg_ini->enableContFWLogging ? "Cont FW log,":"",
@@ -11108,47 +11099,48 @@
if (pHddCtx->cfg_ini->enableFWLogging ||
pHddCtx->cfg_ini->enableContFWLogging)
{
- wlanFWLoggingInitParam->enableFlag |= WLAN_QXDM_LOG_EN;
+ wlanFWLoggingInitParam.enableFlag |= WLAN_QXDM_LOG_EN;
}
if (pHddCtx->cfg_ini->enableMgmtLogging)
{
- wlanFWLoggingInitParam->enableFlag |= WLAN_FRAME_LOG_EN;
+ wlanFWLoggingInitParam.enableFlag |= WLAN_FRAME_LOG_EN;
}
if (pHddCtx->cfg_ini->enableBMUHWtracing)
{
- wlanFWLoggingInitParam->enableFlag |= WLAN_BMUHW_TRACE_LOG_EN;
+ wlanFWLoggingInitParam.enableFlag |= WLAN_BMUHW_TRACE_LOG_EN;
}
if(pHddCtx->cfg_ini->enableFwrMemDump &&
(TRUE == sme_IsFeatureSupportedByFW(MEMORY_DUMP_SUPPORTED)))
{
- wlanFWLoggingInitParam->enableFlag |= WLAN_FW_MEM_DUMP_EN;
+ wlanFWLoggingInitParam.enableFlag |= WLAN_FW_MEM_DUMP_EN;
}
- if( wlanFWLoggingInitParam->enableFlag == 0 )
+ if( wlanFWLoggingInitParam.enableFlag == 0 )
{
hddLog(VOS_TRACE_LEVEL_ERROR, "%s: Logging not enabled", __func__);
return;
}
- wlanFWLoggingInitParam->frameType = WLAN_FRAME_LOGGING_FRAMETYPE_MGMT;
- wlanFWLoggingInitParam->frameSize = WLAN_MGMT_LOGGING_FRAMESIZE_128BYTES;
- wlanFWLoggingInitParam->bufferMode = WLAN_FRAME_LOGGING_BUFFERMODE_CIRCULAR;
- wlanFWLoggingInitParam->continuousFrameLogging =
+ wlanFWLoggingInitParam.frameType = WLAN_FRAME_LOGGING_FRAMETYPE_MGMT;
+ wlanFWLoggingInitParam.frameSize = WLAN_MGMT_LOGGING_FRAMESIZE_128BYTES;
+ wlanFWLoggingInitParam.bufferMode = WLAN_FRAME_LOGGING_BUFFERMODE_CIRCULAR;
+ wlanFWLoggingInitParam.continuousFrameLogging =
pHddCtx->cfg_ini->enableContFWLogging;
- wlanFWLoggingInitParam->enableFlag &= ~WLAN_DPU_TXP_LOG_EN;
+ wlanFWLoggingInitParam.enableFlag &= ~WLAN_DPU_TXP_LOG_EN;
- wlanFWLoggingInitParam->minLogBufferSize =
+ wlanFWLoggingInitParam.minLogBufferSize =
pHddCtx->cfg_ini->minLoggingBufferSize;
- wlanFWLoggingInitParam->maxLogBufferSize =
+ wlanFWLoggingInitParam.maxLogBufferSize =
pHddCtx->cfg_ini->maxLoggingBufferSize;
- wlanFWLoggingInitParam->fwlogInitCallback = hdd_init_frame_logging_done;
- wlanFWLoggingInitParam->fwlogInitCbContext= pHddCtx;
+ wlanFWLoggingInitParam.fwlogInitCallback = hdd_init_frame_logging_done;
+ wlanFWLoggingInitParam.fwlogInitCbContext= pHddCtx;
- halStatus = sme_InitMgmtFrameLogging(pHddCtx->hHal, wlanFWLoggingInitParam);
+ halStatus = sme_InitMgmtFrameLogging(pHddCtx->hHal, &wlanFWLoggingInitParam);
if (eHAL_STATUS_SUCCESS != halStatus)
{
- vos_mem_free(wlanFWLoggingInitParam);
+ hddLog(LOGE, FL("sme_InitMgmtFrameLogging failed, returned %d"),
+ halStatus);
}
return;
diff --git a/CORE/HDD/src/wlan_hdd_trace.c b/CORE/HDD/src/wlan_hdd_trace.c
index 2c82982..6901109 100644
--- a/CORE/HDD/src/wlan_hdd_trace.c
+++ b/CORE/HDD/src/wlan_hdd_trace.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2014-2015 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2014-2016 The Linux Foundation. All rights reserved.
*
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
*
@@ -151,14 +151,16 @@
/* get the global voss context */
vos_ctx_ptr = vos_get_global_context(VOS_MODULE_ID_VOSS, NULL);
- if (NULL != vos_ctx_ptr) {
- hdd_ctx_ptr = vos_get_context(VOS_MODULE_ID_HDD, vos_ctx_ptr);
- } else {
- VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
- "%s: Invalid Global VOSS Context", __func__);
+ if (!vos_ctx_ptr) {
+ hddLog(LOGE, FL("Invalid Global VOSS Context"));
VOS_ASSERT(0);
return;
}
+ hdd_ctx_ptr = vos_get_context(VOS_MODULE_ID_HDD, vos_ctx_ptr);
+ if (!hdd_ctx_ptr) {
+ hddLog(LOGE, FL("HDD context is Null"));
+ return;
+ }
hddLog(LOG1,
FL("mScanPending %d isWlanSuspended %d disable_dfs_flag %d"),
diff --git a/CORE/MAC/src/pe/lim/limApi.c b/CORE/MAC/src/pe/lim/limApi.c
index 84bbedc..6d34461 100644
--- a/CORE/MAC/src/pe/lim/limApi.c
+++ b/CORE/MAC/src/pe/lim/limApi.c
@@ -2232,6 +2232,13 @@
}
pSmeLostLinkParams =
(tpSirSmeLostLinkParamsInd)vos_mem_malloc(sizeof(tSirSmeLostLinkParamsInd));
+ if (NULL == pSmeLostLinkParams)
+ {
+ limLog(pMac, LOGP,
+ FL("Failed to alloc mem of size %zu for tSirSmeLostLinkParamsInd"),
+ sizeof(*pSmeLostLinkParams));
+ return;
+ }
vos_mem_set(pSmeLostLinkParams, sizeof(tSirSmeLostLinkParamsInd), 0);
pSmeLostLinkParams->messageType = eWNI_SME_LOST_LINK_PARAMS_IND;
pSmeLostLinkParams->length = sizeof(tSirSmeLostLinkParamsInd);
diff --git a/CORE/SME/src/sme_common/sme_Api.c b/CORE/SME/src/sme_common/sme_Api.c
index f38c706..2279c08 100644
--- a/CORE/SME/src/sme_common/sme_Api.c
+++ b/CORE/SME/src/sme_common/sme_Api.c
@@ -7946,22 +7946,39 @@
VOS_STATUS vosStatus = VOS_STATUS_SUCCESS;
tpAniSirGlobal pMac = PMAC_STRUCT(hHal);
vos_msg_t vosMessage;
+ tpSirFWLoggingInitParam msg;
+
+ msg = vos_mem_malloc(sizeof(tSirFWLoggingInitParam));
+
+ if (NULL == msg)
+ {
+ smsLog(pMac, LOGE, FL("Failed to alloc mem of size %zu for msg"),
+ sizeof(*msg));
+ return eHAL_STATUS_FAILED_ALLOC;
+ }
+ *msg = *wlanFWLoggingInitParam;
if ( eHAL_STATUS_SUCCESS == ( status =
sme_AcquireGlobalLock( &pMac->sme ) ) )
{
/* serialize the req through MC thread */
- vosMessage.bodyptr = wlanFWLoggingInitParam;
+ vosMessage.bodyptr = msg;
vosMessage.type = WDA_MGMT_LOGGING_INIT_REQ;
MTRACE(vos_trace(VOS_MODULE_ID_SME,
TRACE_CODE_SME_TX_WDA_MSG, NO_SESSION, vosMessage.type));
vosStatus = vos_mq_post_message( VOS_MQ_ID_WDA, &vosMessage );
if ( !VOS_IS_STATUS_SUCCESS(vosStatus) )
{
+ vos_mem_free(msg);
status = eHAL_STATUS_FAILURE;
}
sme_ReleaseGlobalLock( &pMac->sme );
}
+ else
+ {
+ smsLog(pMac, LOGE, FL("sme_AcquireGlobalLock error"));
+ vos_mem_free(msg);
+ }
return(status);
}
/* ---------------------------------------------------------------------------