diff options
| author | Dmitry Shmidt <dimitrysh@google.com> | 2009-09-09 18:12:02 -0700 |
|---|---|---|
| committer | Dmitry Shmidt <dimitrysh@google.com> | 2009-09-09 18:14:41 -0700 |
| commit | 5e861de5ad899e72ec6582efb27da588b7583775 (patch) | |
| tree | cb09c1d5c4ae879a2ca2c2f00a9263de47d05cdd | |
| parent | 16ff62f309a29bce3cb9cc8ab4fdb1e30384aaa6 (diff) | |
| download | ti-5e861de5ad899e72ec6582efb27da588b7583775.tar.gz | |
Fix IE and Event memory corruption
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
| -rw-r--r-- | wilink_6_1/TWD/Ctrl/CmdBldCfgIE.c | 32 | ||||
| -rw-r--r-- | wilink_6_1/platforms/os/linux/src/CmdInterpretWext.c | 18 | ||||
| -rw-r--r-- | wilink_6_1/stad/src/Ctrl_Interface/DrvMain.c | 11 | ||||
| -rw-r--r-- | wilink_6_1/stad/src/Ctrl_Interface/EvHandler.c | 89 |
4 files changed, 65 insertions, 85 deletions
diff --git a/wilink_6_1/TWD/Ctrl/CmdBldCfgIE.c b/wilink_6_1/TWD/Ctrl/CmdBldCfgIE.c index 5a6a4b6..71500df 100644 --- a/wilink_6_1/TWD/Ctrl/CmdBldCfgIE.c +++ b/wilink_6_1/TWD/Ctrl/CmdBldCfgIE.c @@ -1854,43 +1854,35 @@ TI_STATUS cmdBld_CfgIeSetBaSession (TI_HANDLE hCmdBld, */ TI_STATUS cmdBld_CfgIeRadioParams (TI_HANDLE hCmdBld, IniFileRadioParam *pIniFileRadioParams, void *fCb, TI_HANDLE hCb) { + static TTestCmd TestCmd; TCmdBld *pCmdBld = (TCmdBld *)hCmdBld; TI_STATUS status = TI_NOK; - TTestCmd *pTestCmd; - - pTestCmd = os_memoryAlloc(pCmdBld->hOs, sizeof(TTestCmd)); - if (!pTestCmd) - return status; + TTestCmd *pTestCmd = &TestCmd; pTestCmd->testCmdId = TEST_CMD_INI_FILE_RADIO_PARAM; - + os_memoryCopy(pCmdBld->hOs, &pTestCmd->testCmd_u.IniFileRadioParams, pIniFileRadioParams, sizeof(IniFileRadioParam)); - status = cmdQueue_SendCommand (pCmdBld->hCmdQueue, CMD_TEST, (void *)pTestCmd, sizeof(IniFileRadioParam) + 4, fCb, hCb, - (void*)pTestCmd); - os_memoryFree(pCmdBld->hOs, pTestCmd, sizeof(TTestCmd)); + (void *)pTestCmd); return status; } TI_STATUS cmdBld_CfgPlatformGenParams (TI_HANDLE hCmdBld, IniFileGeneralParam *pGenParams, void *fCb, TI_HANDLE hCb) { + static TTestCmd TestCmd; TCmdBld *pCmdBld = (TCmdBld *)hCmdBld; TI_STATUS status = TI_NOK; - TTestCmd *pTestCmd; - - pTestCmd = os_memoryAlloc(pCmdBld->hOs, sizeof(TTestCmd)); - if (!pTestCmd) - return status; + TTestCmd *pTestCmd = &TestCmd; pTestCmd->testCmdId = TEST_CMD_INI_FILE_GENERAL_PARAM; - + os_memoryCopy(pCmdBld->hOs, &pTestCmd->testCmd_u.IniFileGeneralParams, pGenParams, sizeof(IniFileGeneralParam)); status = cmdQueue_SendCommand (pCmdBld->hCmdQueue, @@ -1899,14 +1891,11 @@ TI_STATUS cmdBld_CfgPlatformGenParams (TI_HANDLE hCmdBld, IniFileGeneralParam *p sizeof(IniFileGeneralParam), fCb, hCb, - (void*)pTestCmd); - os_memoryFree(pCmdBld->hOs, pTestCmd, sizeof(TTestCmd)); + (void *)pTestCmd); return status; } - - /**************************************************************************** * cmdBld_CfgIeBurstMode() **************************************************************************** @@ -1915,7 +1904,7 @@ TI_STATUS cmdBld_CfgPlatformGenParams (TI_HANDLE hCmdBld, IniFileGeneralParam *p * INPUTS: hCmdBld - handle to command builder object * bEnabled - is enabled flag * fCB - callback function for command complete - * hCb - handle to be apssed to callback function + * hCb - handle to be apssed to callback function * * OUTPUT: None * @@ -1928,7 +1917,7 @@ TI_STATUS cmdBld_CfgIeBurstMode (TI_HANDLE hCmdBld, TI_BOOL bEnabled, void *fCb, AcxBurstMode *pCfg = &tAcxBurstMode; /* set IE header */ - pCfg->EleHdr.id = ACX_BURST_MODE; + pCfg->EleHdr.id = ACX_BURST_MODE; pCfg->EleHdr.len = sizeof(*pCfg) - sizeof(EleHdrStruct); /* set burst mode value */ @@ -2034,5 +2023,4 @@ TI_STATUS cmdBld_CfgIeSRDebug (TI_HANDLE hCmdBld, ACXSmartReflexDebugParams_t *p /* send the command to the FW */ return cmdQueue_SendCommand (pCmdBld->hCmdQueue, CMD_CONFIGURE, pCfg, sizeof(*pCfg), fCb, hCb, NULL); - } diff --git a/wilink_6_1/platforms/os/linux/src/CmdInterpretWext.c b/wilink_6_1/platforms/os/linux/src/CmdInterpretWext.c index 4a722ee..7163744 100644 --- a/wilink_6_1/platforms/os/linux/src/CmdInterpretWext.c +++ b/wilink_6_1/platforms/os/linux/src/CmdInterpretWext.c @@ -71,7 +71,7 @@ static const char *ieee80211_modes[] = { typedef struct { - TI_UINT8 *assocRespBuffer; + TI_UINT8 *assocRespBuffer; TI_UINT32 assocRespLen; } cckm_assocInformation_t; @@ -110,7 +110,7 @@ TI_HANDLE cmdInterpret_Create (TI_HANDLE hOs) /* Deinitialize the cmdInterpreter module */ TI_STATUS cmdInterpret_Destroy (TI_HANDLE hCmdInterpret, TI_HANDLE hEvHandler) { - cmdInterpret_t * pCmdInterpret = (cmdInterpret_t *)hCmdInterpret; + cmdInterpret_t *pCmdInterpret = (cmdInterpret_t *)hCmdInterpret; /* Unregister events */ cmdInterpret_unregisterEvents ((TI_HANDLE)pCmdInterpret, hEvHandler); @@ -1369,14 +1369,14 @@ static int cmdInterpret_initEvents(TI_HANDLE hCmdInterpret) for (i=0; i<IPC_EVENT_MAX; i++) { - evParams.uDeliveryType = DELIVERY_PUSH; - evParams.uProcessID = 0; - evParams.uEventID = 0; - evParams.hUserParam = hCmdInterpret; - evParams.pfEventCallback = cmdInterpret_Event; - evParams.uEventType = i; + evParams.uDeliveryType = DELIVERY_PUSH; + evParams.uProcessID = 0; + evParams.uEventID = 0; + evParams.hUserParam = hCmdInterpret; + evParams.pfEventCallback = cmdInterpret_Event; + evParams.uEventType = i; EvHandlerRegisterEvent (pCmdInterpret->hEvHandler, (TI_UINT8*) &evParams, sizeof(IPC_EVENT_PARAMS)); - pCmdInterpret->hEvents[i] = evParams.uEventID; + pCmdInterpret->hEvents[i] = evParams.uEventID; } return TI_OK; diff --git a/wilink_6_1/stad/src/Ctrl_Interface/DrvMain.c b/wilink_6_1/stad/src/Ctrl_Interface/DrvMain.c index b01dcdc..03b5e76 100644 --- a/wilink_6_1/stad/src/Ctrl_Interface/DrvMain.c +++ b/wilink_6_1/stad/src/Ctrl_Interface/DrvMain.c @@ -550,7 +550,6 @@ TI_STATUS drvMain_Create (TI_HANDLE hOs, return TI_OK; } - /* * \fn drvMain_Destroy * \brief Destroy driver @@ -663,11 +662,6 @@ TI_STATUS drvMain_Destroy (TI_HANDLE hDrvMain) txnQ_Destroy (pDrvMain->tStadHandles.hTxnQ); } - if (pDrvMain->tStadHandles.hEvHandler != NULL) - { - EvHandlerUnload (pDrvMain->tStadHandles.hEvHandler); - } - if (pDrvMain->tStadHandles.hRsn != NULL) { rsn_unload (pDrvMain->tStadHandles.hRsn); @@ -735,6 +729,11 @@ TI_STATUS drvMain_Destroy (TI_HANDLE hDrvMain) cmdHndlr_Destroy (pDrvMain->tStadHandles.hCmdHndlr, pDrvMain->tStadHandles.hEvHandler); } + if (pDrvMain->tStadHandles.hEvHandler != NULL) + { + EvHandlerUnload (pDrvMain->tStadHandles.hEvHandler); + } + if (pDrvMain->tStadHandles.hCmdDispatch) { cmdDispatch_Destroy (pDrvMain->tStadHandles.hCmdDispatch); diff --git a/wilink_6_1/stad/src/Ctrl_Interface/EvHandler.c b/wilink_6_1/stad/src/Ctrl_Interface/EvHandler.c index b76b682..99205b4 100644 --- a/wilink_6_1/stad/src/Ctrl_Interface/EvHandler.c +++ b/wilink_6_1/stad/src/Ctrl_Interface/EvHandler.c @@ -63,7 +63,7 @@ TI_HANDLE EvHandler_Create (TI_HANDLE hOs) #endif pEvHandler->hOs = hOs; - + pEvHandler->LastUMEventType = 0xFFFFFFFF; return (TI_HANDLE) pEvHandler; @@ -72,22 +72,22 @@ TI_HANDLE EvHandler_Create (TI_HANDLE hOs) TI_UINT32 EvHandlerUnload (TI_HANDLE hEvHandler) { - TEvHandlerObj *pEvHandler; + TEvHandlerObj *pEvHandler; PRINT(DBG_INIT_LOUD, (" ev_handler_unLoad\n")); pEvHandler = (TEvHandlerObj *)hEvHandler; os_memoryFree(pEvHandler->hOs,pEvHandler,sizeof(TEvHandlerObj)); - return TI_OK; + return TI_OK; } TI_UINT32 EvHandlerRegisterEvent(TI_HANDLE hEvHandler, TI_UINT8* pData, TI_UINT32 Length) { TEvHandlerObj *pEvHandler; - IPC_EVENT_PARAMS* pEvParams; - TI_UINT32 ModuleIndex; + IPC_EVENT_PARAMS *pEvParams; + TI_UINT32 ModuleIndex; if( (hEvHandler==NULL) || (pData == NULL)){ PRINT(DBG_INIT_ERROR, "EvHandler:EvHandlerRegisterEvent Bad Handle passed \n"); @@ -102,22 +102,20 @@ TI_UINT32 EvHandlerRegisterEvent(TI_HANDLE hEvHandler, TI_UINT8* pData, TI_UINT3 #endif pEvHandler = (TEvHandlerObj *)hEvHandler; + pEvParams = (IPC_EVENT_PARAMS *)pData; - pEvParams = (IPC_EVENT_PARAMS*)pData; - - PRINTF(DBG_INIT_LOUD, (" EvHandlerRegisterEvent EventType = %d \n",pEvParams->uEventType)); - /* used to be: if ( sizeof(IPC_EVENT_PARAMS) != Length) + /* used to be: if ( sizeof(IPC_EVENT_PARAMS) != Length) relaxed size checking (okay if output buffer is larger) */ - if ( sizeof(IPC_EVENT_PARAMS) > Length) + if (sizeof(IPC_EVENT_PARAMS) > Length) { PRINTF(DBG_INIT_ERROR, (" EvHandlerRegisterEvent Error sizeof(IPC_EVENT_PARAMS) != Length," "%d != %d \n",sizeof(IPC_EVENT_PARAMS), (int)Length)); return (TI_UINT32)STATUS_INVALID_PARAMETER; } - if( pEvParams->uEventType >= IPC_EVENT_MAX){ + if (pEvParams->uEventType >= IPC_EVENT_MAX){ PRINTF(DBG_INIT_ERROR, (" EvHandlerRegisterEvent Error - Invalid Event Type = %d \n", pEvParams->uEventType)); return (TI_UINT32)STATUS_INVALID_PARAMETER; @@ -125,19 +123,18 @@ TI_UINT32 EvHandlerRegisterEvent(TI_HANDLE hEvHandler, TI_UINT8* pData, TI_UINT3 ModuleIndex = 0; - while ( (pEvHandler->RegistrationArray[pEvParams->uEventType][ModuleIndex].uEventID != NULL ) - && ( ModuleIndex < MAX_REGISTERED_MODULES) ) + while ((ModuleIndex < MAX_REGISTERED_MODULES) && + (pEvHandler->RegistrationArray[pEvParams->uEventType][ModuleIndex].uEventID != NULL)) { - ModuleIndex++; + ModuleIndex++; } - if(ModuleIndex == MAX_REGISTERED_MODULES) + if (ModuleIndex == MAX_REGISTERED_MODULES) { - PRINTF(DBG_INIT_WARNING, (" EvHandlerRegisterEvent %d" - "Registration queue full or event already registered!\n", - pEvParams->uEventType)); - - return (TI_UINT32)STATUS_INVALID_PARAMETER; + PRINTF(DBG_INIT_WARNING, (" EvHandlerRegisterEvent %d " + "Registration queue full or event already registered!\n", + pEvParams->uEventType)); + return (TI_UINT32)STATUS_INVALID_PARAMETER; } os_memoryCopy(pEvHandler->hOs,(TI_UINT8*)&pEvHandler->RegistrationArray[pEvParams->uEventType][ModuleIndex], @@ -148,7 +145,6 @@ TI_UINT32 EvHandlerRegisterEvent(TI_HANDLE hEvHandler, TI_UINT8* pData, TI_UINT3 pEvHandler->RegistrationArray[pEvParams->uEventType][ModuleIndex].uEventID = pEvParams->uEventID; PRINT(DBG_INIT_LOUD, " EvHandlerRegisterEvent Out \n"); - return STATUS_SUCCESS; } @@ -157,24 +153,23 @@ TI_UINT32 EvHandlerRegisterEvent(TI_HANDLE hEvHandler, TI_UINT8* pData, TI_UINT3 TI_UINT32 EvHandlerUnRegisterEvent(TI_HANDLE hEvHandler, TI_HANDLE uEventID) { TEvHandlerObj *pEvHandler; - IPC_EVENT_PARAMS* pEvParams; - TI_UINT32 ModuleIndex; + IPC_EVENT_PARAMS *pEvParams; + TI_UINT32 ModuleIndex; - #ifdef EV_HANDLER_DEBUG - if (ghEvHandler != hEvHandler ) +#ifdef EV_HANDLER_DEBUG + if (ghEvHandler != hEvHandler ) { return TI_NOK; } - #endif +#endif - if (uEventID == NULL) + if (uEventID == NULL) { return TI_NOK; } pEvHandler = (TEvHandlerObj *)hEvHandler; - pEvParams = (IPC_EVENT_PARAMS*)uEventID; - + pEvParams = (IPC_EVENT_PARAMS *)uEventID; PRINTF(DBG_INIT_LOUD, (" EvHandlerUnRegisterEvent EventType = %d \n",pEvParams->uEventType)); @@ -186,21 +181,19 @@ TI_UINT32 EvHandlerUnRegisterEvent(TI_HANDLE hEvHandler, TI_HANDLE uEventID) ModuleIndex = 0; - while ( (pEvHandler->RegistrationArray[pEvParams->uEventType][ModuleIndex].uEventID != pEvParams->uEventID ) - && ( ModuleIndex < MAX_REGISTERED_MODULES) ) + while ((ModuleIndex < MAX_REGISTERED_MODULES) && + (pEvHandler->RegistrationArray[pEvParams->uEventType][ModuleIndex].uEventID != pEvParams->uEventID)) { - ModuleIndex++; + ModuleIndex++; } - if(ModuleIndex == MAX_REGISTERED_MODULES) + if (ModuleIndex == MAX_REGISTERED_MODULES) { - PRINTF(DBG_INIT_ERROR, (" EvHandlerUnRegisterEvent %d" + PRINTF(DBG_INIT_ERROR, (" EvHandlerUnRegisterEvent %d " "Registration queue doesn't hold this event!\n", pEvParams->uEventType )); - - return (TI_UINT32)STATUS_INVALID_PARAMETER; + return (TI_UINT32)STATUS_INVALID_PARAMETER; } - pEvHandler->RegistrationArray[pEvParams->uEventType][ModuleIndex].uEventID = NULL; return STATUS_SUCCESS; @@ -240,7 +233,7 @@ TI_UINT32 EvHandlerSendEvent(TI_HANDLE hEvHandler, TI_UINT32 EvType, TI_UINT8* p if (pEvHandler->RegistrationArray[EvType][ModuleIndex].uEventID != NULL ) { if(pEvHandler->SendEventArray.Counter == MAX_SEND_EVENTS) - { + { PRINT(DBG_INIT_ERROR, " EvHandlerSendEvent Array Full u Fool! \n"); return TI_NOK; } @@ -253,17 +246,17 @@ TI_UINT32 EvHandlerSendEvent(TI_HANDLE hEvHandler, TI_UINT32 EvType, TI_UINT8* p sizeof(IPC_EVENT_PARAMS)); os_memoryZero(pEvHandler->hOs,(TI_UINT8*)pNewEvent->uBuffer, sizeof(pNewEvent->uBuffer)); - - os_memoryCopy(pEvHandler->hOs, - (TI_UINT8*)pNewEvent->uBuffer, - (TI_UINT8*)pData, - Length); - + + os_memoryCopy(pEvHandler->hOs, + (TI_UINT8*)pNewEvent->uBuffer, + (TI_UINT8*)pData, + Length); + pNewEvent->uBufferSize = Length; - + if(pNewEvent->EvParams.uDeliveryType == DELIVERY_PUSH) { - PRINTF(DBG_INIT_LOUD, (" EvHandlerSendEvent %d to OS \n", EvType)); + PRINTF(DBG_INIT_LOUD, (" EvHandlerSendEvent %d to OS \n", EvType)); PRINTF(DBG_INIT_LOUD, ("EvHandlerSendEvent Matching OS Registered event found at EvType = %d," "ModuleIndex = %d \n", EvType, ModuleIndex)); IPC_EventSend (pEvHandler->hOs,(TI_UINT8*)pNewEvent,sizeof(IPC_EV_DATA)); @@ -281,10 +274,10 @@ TI_UINT32 EvHandlerSendEvent(TI_HANDLE hEvHandler, TI_UINT32 EvType, TI_UINT8* p { IPC_EventSend (pEvHandler->hOs,NULL,0); } - } + } } /* end if*/ - ModuleIndex++; + ModuleIndex++; } /* end of while*/ |