Merge March 2024 QCOM security patches
These commits were cherry-picked from the public CLO repo:
https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/qca-wifi-host-cmn
Bug: 315210059
Signed-off-by: Andrew Evans <andrewevans@google.com>
(cherry picked from https://partner-android-review.googlesource.com/q/commit:7ead733dc4a5724fee03a7e13c8b65be8bd47e47)
Merged-In: I018973684aa33861452d01c128f64dca2bdd64f6
Change-Id: I018973684aa33861452d01c128f64dca2bdd64f6
diff --git a/umac/scan/dispatcher/src/wlan_scan_utils_api.c b/umac/scan/dispatcher/src/wlan_scan_utils_api.c
index 820e7ba..e5a50da 100644
--- a/umac/scan/dispatcher/src/wlan_scan_utils_api.c
+++ b/umac/scan/dispatcher/src/wlan_scan_utils_api.c
@@ -2851,8 +2851,10 @@
subie_len,
mbssid_info.split_prof_continue,
mbssid_info.prof_residue);
- if (mbssid_info.split_prof_continue)
+ if (mbssid_info.split_prof_continue) {
qdf_mem_free(split_prof_start);
+ split_prof_start = NULL;
+ }
qdf_mem_free(new_ie);
return QDF_STATUS_E_INVAL;
@@ -2874,6 +2876,7 @@
subelement[ID_POS],
subelement[TAG_LEN_POS]);
qdf_mem_free(split_prof_start);
+ split_prof_start = NULL;
qdf_mem_free(new_ie);
return QDF_STATUS_E_INVAL;
} else if (retval == INVALID_NONTX_PROF) {
@@ -2986,14 +2989,22 @@
subie_len, new_ie,
mbssid_info.profile_num);
- if (!new_ie_len)
+ if (!new_ie_len) {
+ if (mbssid_info.split_prof_continue) {
+ qdf_mem_free(split_prof_start);
+ split_prof_start = NULL;
+ split_prof_end = NULL;
+ }
continue;
+ }
new_frame_len = frame_len - ielen + new_ie_len;
if (new_frame_len < 0) {
- if (mbssid_info.split_prof_continue)
+ if (mbssid_info.split_prof_continue) {
qdf_mem_free(split_prof_start);
+ split_prof_start = NULL;
+ }
qdf_mem_free(new_ie);
scm_err("Invalid frame:Stop MBSSIE parsing");
scm_err("Frame_len: %zu,ielen:%u,new_ie_len:%u",
@@ -3003,8 +3014,10 @@
new_frame = qdf_mem_malloc(new_frame_len);
if (!new_frame) {
- if (mbssid_info.split_prof_continue)
+ if (mbssid_info.split_prof_continue) {
qdf_mem_free(split_prof_start);
+ split_prof_start = NULL;
+ }
qdf_mem_free(new_ie);
scm_err_rl("Malloc for new_frame failed");
scm_err_rl("split_prof_continue: %d",
@@ -3044,6 +3057,8 @@
if (QDF_IS_STATUS_ERROR(status)) {
if (mbssid_info.split_prof_continue) {
qdf_mem_free(split_prof_start);
+ split_prof_start = NULL;
+ split_prof_end = NULL;
qdf_mem_zero(&mbssid_info,
sizeof(mbssid_info));
}
@@ -3054,8 +3069,11 @@
break;
}
/* scan entry makes its own copy so free the frame*/
- if (mbssid_info.split_prof_continue)
+ if (mbssid_info.split_prof_continue) {
qdf_mem_free(split_prof_start);
+ split_prof_start = NULL;
+ split_prof_end = NULL;
+ }
qdf_mem_free(new_frame);
}
@@ -3063,6 +3081,9 @@
}
qdf_mem_free(new_ie);
+ if (split_prof_start)
+ qdf_mem_free(split_prof_start);
+
return QDF_STATUS_SUCCESS;
}
#else