Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f9d4e6ed authored by Yeshwanth Sriram Guntuka's avatar Yeshwanth Sriram Guntuka
Browse files

qcacmn: Fix potential double free in send_log_supported_evt_cmd_tlv 

In send_log_supported_evt_cmd_tlv, events_logs_list in
wma handle is freed if previously allocated. If the
num_of_diag_events_logs exceeds the max size, we exit
from the function early without allocating memory for
events_logs_list. This can result in potential double
free scenario if we receive another DIAG_EVENT_LOG_SUPPORTED
event from firmware.

Fix is to set events_logs_list pointer to NULL after
freeing memory.

Change-Id: I9d6148dfc064d87e2947d1b5ec4492c08913dd4c
CRs-Fixed: 2433802
parent 382e54f1

wmi/src/wmi_unified_tlv.c

+3 −1
Original line number Diff line number Diff line
@@ -10895,8 +10895,10 @@ QDF_STATUS send_log_supported_evt_cmd_tlv(wmi_unified_t wmi_handle, 
			__func__, num_of_diag_events_logs);



	/* Free any previous allocation */

	if (wmi_handle->events_logs_list)

	if (wmi_handle->events_logs_list) {

		qdf_mem_free(wmi_handle->events_logs_list);

		wmi_handle->events_logs_list = NULL;

	}



	if (num_of_diag_events_logs >

		(WMI_SVC_MSG_MAX_SIZE / sizeof(uint32_t))) {