qcacld-3.0: Fix mem leak in wma_roam_synch_frame_event_handler
The function wma_roam_synch_frame_event_handler, memory is
allocated for iface->roam_synch_frame_ind.bcn_probe_rsp,
iface->roam_synch_frame_ind.bcn_reassoc_req,
iface->roam_synch_frame_ind.bcn_reassoc_rsp when the wmi event
WMI_ROAM_SYNCH_FRAME_EVENT is received. This event is followed
by a WMI_ROAM_SYNCH_EVENT from the firmware where the host
copies the bcn_probe_rsp, bcn_reassoc_req, bcn_reassoc_rsp to
the structure roam_synch_ind_ptr and frees the allocated memory.
In this flow memory leak can happen in following cases:
1. Firmware sends multiple cascade of WMI_ROAM_SYNCH_FRAME_EVENT
the host allocates bcn_reassoc_req, bcn_reassoc_rsp and
bcn_probe_rsp with out freeing the previous instance.
2. Firmware sends WMI_ROAM_SYNCH_FRAME_EVENT with either
bcn_reassoc_req or bcn_reassoc_req or bcn_probe_rsp NULL or all
the three are NULL.
3. Firmware sends WMI_ROAM_SYNCH_FRAME_EVENT having
bcn_reassoc_req bcn_reassoc_req and bcn_probe_rsp. Then it sends
the WMI_ROAM_SYNCH_EVENT with non zero bcn_reassoc_req_len or
bcn_reassoc_rsp_len or bcn_probe_rsp length.
4. Host doesn't free the allocated memory in
wma_roam_synch_frame_event_handler during failure cases.
Check if received iface->roam_synch_frame_ind has non NULL
bcn_probe_rsp, bcn_reassoc_req, bcn_reassoc_rsp and free the
same before allocating new memory. Also free the allocated
bcn_probe_rsp, bcn_reassoc_req, bcn_reassoc_rsp in failure
return cases.
Change-Id: I2b76769d09fd61929f7837cb8661d778cd2f881a
CRs-Fixed: 2282413
1 file changed