From 378c9d3f25e3a533523ca4f01b9b234cac1d5d4b Mon Sep 17 00:00:00 2001 From: Paul Zhang Date: Thu, 4 Jul 2019 10:47:20 +0800 Subject: [PATCH] qcacld-2.0: Fix potential double free in wma_log_supported_evt_handler propagation from qcacld-3.0 to qcacld-2.0 In wma_log_supported_evt_handler, events_logs_list in wma handle is freed if previously allocated. If the num_of_diag_events_logs exceeds the max size, we exit from the function early without allocating memory for events_logs_list. This can result in potential double free scenario if we receive another DIAG_EVENT_LOG_SUPPORTED event from firmware. Fix is to set events_logs_list pointer to NULL after freeing memory. Change-Id: I9d6148dfc064d87e2947d1b5ec4492c08913dd4c CRs-Fixed: 2482603 --- drivers/net/wireless/qcacld-2.0/CORE/SERVICES/WMA/wma.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/qcacld-2.0/CORE/SERVICES/WMA/wma.c b/drivers/net/wireless/qcacld-2.0/CORE/SERVICES/WMA/wma.c index a5c81c99dd80..e500fdb193a0 100644 --- a/drivers/net/wireless/qcacld-2.0/CORE/SERVICES/WMA/wma.c +++ b/drivers/net/wireless/qcacld-2.0/CORE/SERVICES/WMA/wma.c @@ -20199,8 +20199,10 @@ static int wma_log_supported_evt_handler(void *handle, } /* Free any previous allocation */ - if (wma->events_logs_list) + if (wma->events_logs_list) { vos_mem_free(wma->events_logs_list); + wma->events_logs_list = NULL; + } /* Store the event list for run time enable/disable */ wma->events_logs_list = vos_mem_malloc(num_of_diag_events_logs *