Fixed erroneous LLCP frame on socket closure.

Moved data allocation from stack memory to heap in order
to avoid invalid memory access.

Previously, When trying to send a DM (acknowledgment to
socket disconnect request), the stack was allocating some
frame data on the stack but these data were used after the
function returned.

Other calls to the same function  are already using variables
allocated on heap.

Change-Id: Id7356a876fdecdd979ed3ddc6dbe100d6e92d43d

2 files changed, 11 insertions, 13 deletions

diff --git a/src/phFriNfc_LlcpTransport.h b/src/phFriNfc_LlcpTransport.h
index 9b35482..2aff8ea 100644
--- a/src/phFriNfc_LlcpTransport.h
+++ b/src/phFriNfc_LlcpTransport.h
@@ -246,6 +246,8 @@ struct phFriNfc_LlcpTransport
    phFriNfc_Llcp_sPacketSequence_t       sSequence;
 
   /**< Info field of pending DM packet*/
+   phFriNfc_Llcp_sPacketHeader_t         sDmHeader;
+   phNfc_sData_t                         sDmPayload;
    uint8_t                               DmInfoBuffer[3];
 
    uint8_t                               LinkStatusError;
diff --git a/src/phFriNfc_LlcpTransport_Connection.c b/src/phFriNfc_LlcpTransport_Connection.c
index 93dde68..9746d5b 100644
--- a/src/phFriNfc_LlcpTransport_Connection.c
+++ b/src/phFriNfc_LlcpTransport_Connection.c
@@ -377,9 +377,6 @@ static NFCSTATUS phFriNfc_Llcp_Send_DisconnectMode_Frame(phFriNfc_LlcpTransport_
                                                          uint8_t                     dmOpCode)
 {
    NFCSTATUS                       status = NFCSTATUS_SUCCESS;
-   phFriNfc_Llcp_sPacketHeader_t   sLocalLlcpHeader;
-   uint8_t                         dmValue;
-   phNfc_sData_t                   sLocalBuffer;
 
    /* Test if a send is pending */
    if(psTransport->bSendPending)
@@ -396,25 +393,24 @@ static NFCSTATUS phFriNfc_Llcp_Send_DisconnectMode_Frame(phFriNfc_LlcpTransport_
    }
    else
    {
-      /* Store the DM OpCode */
-      dmValue = dmOpCode;
-
       /* Set the header */
-      sLocalLlcpHeader.dsap  = dsap;
-      sLocalLlcpHeader.ptype = PHFRINFC_LLCP_PTYPE_DM;
-      sLocalLlcpHeader.ssap  = ssap;
+      psTransport->sDmHeader.dsap  = dsap;
+      psTransport->sDmHeader.ptype = PHFRINFC_LLCP_PTYPE_DM;
+      psTransport->sDmHeader.ssap  = ssap;
 
-      sLocalBuffer.buffer    = &dmValue;
-      sLocalBuffer.length    = PHFRINFC_LLCP_DM_LENGTH;
+      /* Save Operation Code to be provided in DM frame payload */
+      psTransport->DmInfoBuffer[2] = dmOpCode;
+      psTransport->sDmPayload.buffer    = &psTransport->DmInfoBuffer[2];
+      psTransport->sDmPayload.length    = PHFRINFC_LLCP_DM_LENGTH;
 
       /* Send Pending */
       psTransport->bSendPending = TRUE;
 
       /* Send DM frame */
       status =  phFriNfc_Llcp_Send(psTransport->pLlcp,
-                                   &sLocalLlcpHeader,
+                                   &psTransport->sDmHeader,
                                    NULL,
-                                   &sLocalBuffer,
+                                   &psTransport->sDmPayload,
                                    phFriNfc_LlcpTransport_ConnectionOriented_SendLlcp_CB,
                                    psTransport);
    }