lisa/android_kernel_xiaomi_sm8350
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacld-3.0: Fix Mem leak during GTK/IGTK rekey in FT-SuiteB roam

Browse Source 
In commit I5aa50145fcd3ba91b1c92d4817b7f0e4fc216e3f for FT-SuiteB
case Memory is allocated for GTK/IGTK in wlan_parse_ftie_sha384
while parsing the FTIE in Assoc/Reassoc response but it is not
freed properly.
This change does the respective mem free wherever required.

Change-Id: I59ccdd234efd2ee693b05426e62d3c2422fb5326
CRs-Fixed: 2747641
This commit is contained in:
Srikanth Marepalli 2020-08-06 17:50:00 +05:30 committed by snandini
parent 0099b427ea
commit b3a17c8661
5 changed files with 35 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
core/mac/src/pe/lim/lim_process_assoc_rsp_frame.c
View File

@ -586,6 +586,14 @@ lim_handle_pmfcomeback_timer(struct pe_session *session_entry,
}
#endif
static void clean_up_ft_sha384(tpSirAssocRsp assoc_rsp, bool sha384_akm)
{
if (sha384_akm) {
qdf_mem_free(assoc_rsp->sha384_ft_subelem.gtk);
qdf_mem_free(assoc_rsp->sha384_ft_subelem.igtk);
}
}
/**
* lim_process_assoc_rsp_frame() - Processes assoc response
* @mac_ctx: Pointer to Global MAC structure
@ -622,6 +630,8 @@ lim_process_assoc_rsp_frame(struct mac_context *mac_ctx, uint8_t *rx_pkt_info,
uint8_t ap_nss;
int8_t rssi;
QDF_STATUS status;
enum ani_akm_type auth_type;
bool sha384_akm;
tpRRMCaps rrm_caps = &mac_ctx->rrm.rrmPEContext.rrmEnabledCaps;
assoc_cnf.resultCode = eSIR_SME_SUCCESS;
@ -793,8 +803,12 @@ lim_process_assoc_rsp_frame(struct mac_context *mac_ctx, uint8_t *rx_pkt_info,
lim_update_ese_tspec(mac_ctx, session_entry, assoc_rsp);
#endif
auth_type = session_entry->connected_akm;
sha384_akm = lim_is_sha384_akm(auth_type);
if (lim_get_capability_info(mac_ctx, &caps, session_entry)
!= QDF_STATUS_SUCCESS) {
clean_up_ft_sha384(assoc_rsp, sha384_akm);
qdf_mem_free(assoc_rsp);
qdf_mem_free(beacon);
pe_err("could not retrieve Capabilities");
@ -829,6 +843,7 @@ lim_process_assoc_rsp_frame(struct mac_context *mac_ctx, uint8_t *rx_pkt_info,
/* return if retry again timer is started and ignore this assoc resp */
if (QDF_IS_STATUS_SUCCESS(status)) {
qdf_mem_free(beacon);
clean_up_ft_sha384(assoc_rsp, sha384_akm);
qdf_mem_free(assoc_rsp);
return;
}
@ -1032,6 +1047,7 @@ lim_process_assoc_rsp_frame(struct mac_context *mac_ctx, uint8_t *rx_pkt_info,
assoc_cnf.protStatusCode = eSIR_SME_SUCCESS;
lim_post_sme_message(mac_ctx, LIM_MLM_ASSOC_CNF,
(uint32_t *) &assoc_cnf);
clean_up_ft_sha384(assoc_rsp, sha384_akm);
qdf_mem_free(assoc_rsp);
qdf_mem_free(beacon);
return;
@ -1116,6 +1132,7 @@ lim_process_assoc_rsp_frame(struct mac_context *mac_ctx, uint8_t *rx_pkt_info,
beacon,
&session_entry->lim_join_req->bssDescription, true,
session_entry)) {
clean_up_ft_sha384(assoc_rsp, sha384_akm);
qdf_mem_free(assoc_rsp);
qdf_mem_free(beacon);
return;

5
core/mac/src/pe/lim/lim_process_deauth_frame.c
View File

@ -325,6 +325,7 @@ void lim_perform_deauth(struct mac_context *mac_ctx, struct pe_session *pe_sessi
tLimMlmAssocCnf mlmAssocCnf;
uint16_t aid;
tpDphHashNode sta_ds;
tpSirAssocRsp assoc_rsp;
sta_ds = dph_lookup_hash_entry(mac_ctx, addr, &aid,
&pe_session->dph.dphHashTable);
@ -537,6 +538,10 @@ void lim_perform_deauth(struct mac_context *mac_ctx, struct pe_session *pe_sessi
lim_delete_pre_auth_node(mac_ctx, addr);
if (pe_session->limAssocResponseData) {
assoc_rsp = (tpSirAssocRsp) pe_session->
limAssocResponseData;
qdf_mem_free(assoc_rsp->sha384_ft_subelem.gtk);
qdf_mem_free(assoc_rsp->sha384_ft_subelem.igtk);
qdf_mem_free(pe_session->limAssocResponseData);
pe_session->limAssocResponseData = NULL;
}

5
core/mac/src/pe/lim/lim_process_disassoc_frame.c
View File

@ -363,6 +363,7 @@ void lim_perform_disassoc(struct mac_context *mac_ctx, int32_t frame_rssi,
tLimMlmDisassocInd mlmDisassocInd;
uint16_t aid;
tpDphHashNode sta_ds;
tpSirAssocRsp assoc_rsp;
sta_ds = dph_lookup_hash_entry(mac_ctx, addr, &aid,
&pe_session->dph.dphHashTable);
@ -393,6 +394,10 @@ void lim_perform_disassoc(struct mac_context *mac_ctx, int32_t frame_rssi,
pe_debug("received Disassoc from AP while waiting for Reassoc Rsp");
if (pe_session->limAssocResponseData) {
assoc_rsp = (tpSirAssocRsp) pe_session->
limAssocResponseData;
qdf_mem_free(assoc_rsp->sha384_ft_subelem.gtk);
qdf_mem_free(assoc_rsp->sha384_ft_subelem.igtk);
qdf_mem_free(pe_session->limAssocResponseData);
pe_session->limAssocResponseData = NULL;
}

4
core/mac/src/pe/lim/lim_reassoc_utils.c
View File

@ -204,6 +204,8 @@ void lim_handle_del_bss_in_re_assoc_context(struct mac_context *mac,
qdf_mem_free(beacon_struct);
goto error;
}
qdf_mem_free(assocRsp->sha384_ft_subelem.gtk);
qdf_mem_free(assocRsp->sha384_ft_subelem.igtk);
qdf_mem_free(assocRsp);
qdf_mem_free(beacon_struct);
pe_session->limAssocResponseData = NULL;
@ -325,6 +327,8 @@ void lim_handle_add_bss_in_re_assoc_context(struct mac_context *mac,
qdf_mem_free(pBeaconStruct);
goto Error;
}
qdf_mem_free(assocRsp->sha384_ft_subelem.gtk);
qdf_mem_free(assocRsp->sha384_ft_subelem.igtk);
qdf_mem_free(assocRsp);
pe_session->limAssocResponseData = NULL;
qdf_mem_free(pBeaconStruct);

4
core/mac/src/pe/lim/lim_session.c
View File

@ -847,6 +847,7 @@ void pe_delete_session(struct mac_context *mac_ctx, struct pe_session *session)
uint16_t n;
TX_TIMER *timer_ptr;
struct wlan_objmgr_vdev *vdev;
tpSirAssocRsp assoc_rsp;
if (!session || (session && !session->valid)) {
pe_debug("session already deleted or not valid");
@ -968,6 +969,9 @@ void pe_delete_session(struct mac_context *mac_ctx, struct pe_session *session)
session->parsedAssocReq = NULL;
}
if (session->limAssocResponseData) {
assoc_rsp = (tpSirAssocRsp) session->limAssocResponseData;
qdf_mem_free(assoc_rsp->sha384_ft_subelem.gtk);
qdf_mem_free(assoc_rsp->sha384_ft_subelem.igtk);
qdf_mem_free(session->limAssocResponseData);
session->limAssocResponseData = NULL;
}