qcacld-3.0: Avoid double free in sch_gen_timing_advert_frame (5de9df0f) · Commits · e / devices / android_kernel_fairphone_FP5

core/mac/src/pe/sch/sch_api.c

+15 −16

Original line number	Diff line number	Diff line
		/*
		* Copyright (c) 2011-2020 The Linux Foundation. All rights reserved.
		* Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
		*
		* Permission to use, copy, modify, and/or distribute this software for
		* any purpose with or without fee is hereby granted, provided that the
		@@ -364,52 +365,50 @@ uint32_t lim_send_probe_rsp_template_to_hal(struct mac_context *mac,
		* @timestamp_offset: return for the offset of the timestamp field
		* @time_value_offset: return for the time_value field in the TA IE
		*
		* Return: the length of the buffer.
		* Return: the length of the buffer on success and error code on failure.
		*/
		int sch_gen_timing_advert_frame(struct mac_context *mac_ctx, tSirMacAddr self_addr,
		uint8_t *buf, uint32_t timestamp_offset, uint32_t *time_value_offset)
		{
		tDot11fTimingAdvertisementFrame frame;
		tDot11fTimingAdvertisementFrame frame = {0};
		uint32_t payload_size, buf_size;
		int status;
		struct qdf_mac_addr wildcard_bssid = {
		{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF},
		};

		qdf_mem_zero((uint8_t *)&frame, sizeof(tDot11fTimingAdvertisementFrame));

		/* Populate the TA fields */
		status = populate_dot11f_timing_advert_frame(mac_ctx, &frame);
		if (status) {
		if (!QDF_IS_STATUS_SUCCESS(status)) {
		pe_err("Error populating TA frame %x", status);
		return status;
		return qdf_status_to_os_return(status);
		}

		status = dot11f_get_packed_timing_advertisement_frame_size(mac_ctx,
		&frame, &payload_size);
		if (DOT11F_FAILED(status)) {
		pe_err("Error getting packed frame size %x", status);
		return status;
		} else if (DOT11F_WARNED(status)) {
		pe_warn("Warning getting packed frame size");
		return -EINVAL;
		}
		if (DOT11F_WARNED(status))
		pe_warn("Warning getting packed frame size");

		buf_size = sizeof(tSirMacMgmtHdr) + payload_size;
		*buf = qdf_mem_malloc(buf_size);
		if (!*buf)
		return QDF_STATUS_E_FAILURE;
		return -ENOMEM;

		payload_size = 0;
		status = dot11f_pack_timing_advertisement_frame(mac_ctx, &frame,
		*buf + sizeof(tSirMacMgmtHdr), buf_size -
		sizeof(tSirMacMgmtHdr), &payload_size);
		pe_err("TA payload size2 = %d", payload_size);
		pe_debug("TA payload size2 = %d", payload_size);
		if (DOT11F_FAILED(status)) {
		pe_err("Error packing frame %x", status);
		goto fail;
		} else if (DOT11F_WARNED(status)) {
		pe_warn("Warning packing frame");
		}
		if (DOT11F_WARNED(status))
		pe_warn("Warning packing frame");

		lim_populate_mac_header(mac_ctx, *buf, SIR_MAC_MGMT_FRAME,
		SIR_MAC_MGMT_TIME_ADVERT, wildcard_bssid.bytes, self_addr);
		@@ -436,7 +435,7 @@ int sch_gen_timing_advert_frame(struct mac_context *mac_ctx, tSirMacAddr self_ad
		return payload_size + sizeof(tSirMacMgmtHdr);

		fail:
		if (*buf)
		qdf_mem_free(*buf);
		return status;
		*buf = NULL;
		return -EINVAL;
		}

core/sme/src/common/sme_api.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -8671,7 +8671,7 @@ void sme_get_command_q_status(mac_handle_t mac_handle)
		* @timestamp_offset: return for the offset of the timestamp field
		* @time_value_offset: return for the time_value field in the TA IE
		*
		* Return: the length of the buffer.
		* Return: the length of the buffer on success and error code on failure.
		*/
		int sme_ocb_gen_timing_advert_frame(mac_handle_t mac_handle,
		tSirMacAddr self_addr, uint8_t **buf,