Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

This project is archived. Its data is read-only.

Commit af5f21e0 authored Dec 08, 2016 by Alexei Avshalom Lazar

fst-manager: Fix potential use of unset variable and double free



In fst_disconnect_peer(), ret might be used uninitialized.
Fix this by setting ret to initial value.
In _fst_mgr_peer_set_active_iface(), addr might be accessed while
it is NULL.
Fix this by checking NULL value.
In fst_dup_connection_sta(), str_mbies might get freed twice.
Fix this by freeing str_mbies at the end of the function.

CRs-Fixed: 1097078

Change-Id: Ia3db5ee66fe775396faa74d82e20fbdad52d5077
Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>

parent e14ed976

fst_ctrl.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -1016,7 +1016,7 @@ int fst_dedup_connection(const struct fst_iface_info iface, const char acl_fil

		int fst_disconnect_peer(const char ifname, const u8 peer_addr)
		{
		int ret;
		int ret = -1;

		if (fst_is_supplicant()) {
		fst_mgr_printf(MSG_INFO, "ifname=%s", ifname);
		@@ -1030,7 +1030,7 @@ int fst_disconnect_peer(const char ifname, const u8 peer_addr)

		if (ret < 0) {
		fst_mgr_printf(MSG_ERROR, "failed to disconnect peer");
		return -1;
		return ret;
		}

		return 0;

fst_manager.c

+8 −6

Original line number	Diff line number	Diff line
		@@ -454,6 +454,7 @@ static int _fst_mgr_peer_set_active_iface(struct fst_mgr_peer *p,

		if (p->active_iface) {
		const u8 *addr = _fst_mgr_peer_get_addr_of_iface(p, p->active_iface);
		if (addr) {
		fst_mux_del_map_entry(drv, addr);
		fst_mgr_printf(MSG_INFO,
		"Map entry removed: " MACSTR " via %s",
		@@ -461,6 +462,7 @@ static int _fst_mgr_peer_set_active_iface(struct fst_mgr_peer *p,
		p->active_iface->info.name);
		p->active_iface = NULL;
		}
		}

		if (!i)
		return 0;

fst_rateupg.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -312,7 +312,6 @@ static int fst_dup_connection_sta(const struct rate_upgrade_group *g,
		fst_mgr_printf(MSG_ERROR, "failed converting hex mbie to bin");
		goto error_mbie;
		}
		os_free(str_mbies);

		/* for each slave duplicate the addresses from all bands */
		for (i = 0; i < g->slave_cnt; i++) {
		@@ -338,6 +337,7 @@ static int fst_dup_connection_sta(const struct rate_upgrade_group *g,
		mbies_size -= mbie->len + 2;
		}
		}
		os_free(str_mbies);
		os_free(mbies);
		return 0;