diff options
author | Subhani Shaik <subhanis@codeaurora.org> | 2016-03-02 12:58:54 +0530 |
---|---|---|
committer | mukesh agrawal <quiche@google.com> | 2016-03-16 12:35:59 -0700 |
commit | 15edefc411e5d4afe85c0ca404e93f2346fde5b1 (patch) | |
tree | 6b46d968281745cac0e6207410a3d05b621472b7 /qcwcn | |
parent | ece09ad3912e4c8805ec1747617abd5817618e75 (diff) | |
download | wlan-15edefc411e5d4afe85c0ca404e93f2346fde5b1.tar.gz |
Wifi-HAL: Avoid illegal memory access in wifi_set_packet_filter fn.
In requestResponse(), nl message is getting freed after receiving
a response for the nl message, and wifi_hal is trying to fill the same
message again in wifi_set_packet_filter() for next fragment of
data. This is causing an invalid memory access. To avoid this,
destroy the object after sending each fragment to driver and
allocate a fresh object which in turn creates nl message and
initializes it.
BUG: 27595799
Change-Id: I654203a55206a5efe820146bde43c20b76b55880
Diffstat (limited to 'qcwcn')
-rw-r--r-- | qcwcn/wifi_hal/wifi_hal.cpp | 23 |
1 files changed, 14 insertions, 9 deletions
diff --git a/qcwcn/wifi_hal/wifi_hal.cpp b/qcwcn/wifi_hal/wifi_hal.cpp index a407741..3727e0b 100644 --- a/qcwcn/wifi_hal/wifi_hal.cpp +++ b/qcwcn/wifi_hal/wifi_hal.cpp @@ -1269,15 +1269,15 @@ static wifi_error wifi_set_packet_filter(wifi_interface_handle iface, return WIFI_ERROR_INVALID_ARGS; } - ret = initialize_vendor_cmd(iface, get_requestid(), - QCA_NL80211_VENDOR_SUBCMD_PACKET_FILTER, - &vCommand); - if (ret != WIFI_SUCCESS) { - ALOGE("%s: Initialization failed", __FUNCTION__); - return (wifi_error)ret; - } - do { + ret = initialize_vendor_cmd(iface, get_requestid(), + QCA_NL80211_VENDOR_SUBCMD_PACKET_FILTER, + &vCommand); + if (ret != WIFI_SUCCESS) { + ALOGE("%s: Initialization failed", __FUNCTION__); + return (wifi_error)ret; + } + /* Add the vendor specific attributes for the NL command. */ nlData = vCommand->attr_start(NL80211_ATTR_VENDOR_DATA); if (!nlData) @@ -1317,11 +1317,16 @@ static wifi_error wifi_set_packet_filter(wifi_interface_handle iface, goto cleanup; } + /* destroy the object after sending each fragment to driver */ + delete vCommand; + vCommand = NULL; + current_offset += min(info->firmware_bus_max_size, len); } while (current_offset < len); cleanup: - delete vCommand; + if (vCommand) + delete vCommand; return (wifi_error)ret; } |