Use unsigned int to fix wrong full scan bucket calculation
Sometimes Wifi HAL crash is observed by illegal pointer access
to WifiCommand pointer. In ScanCommand, mGlobalFullScanBuckets
variable is defined as "unsigned" type and mLocalFullScanBuckets
variable is defined as "bool". This means mGlobalFullScanBuckets
will not reach "0" in most cases and FullScanResultsCommand will
not be removed at the proper time. Since FullScanResultsCommand
is managed with 0x1000 fixed value as request id, this leads to
a crash by the following sequence.
1. Register FullScanResultsCommand with 0x1000.
2. Request start GSCAN with 0x1000 from the framework.
3. FullScanResultsCommand is unregistered by stop GSCAN request.
4. Request start GSCAN from the framework.
(There are two ScanCommands registered at this point.)
5. ScanCommand registered at 4 and event_cb registered at 2 are
unregistered by stop GSCAN request.
(There is still event_cb registered at 4 that contains a pointer
to ScanCommand just unregistered and freed.)
6. Request start GSCAN from the framework.
When scan result of GSCAN issued at 6 is received, a crash happens at
a cbi->cb_arg ScanCommand(WifiCommand) pointer that was registered at
4 and already freed at 5.
By using unsigned int for mLocalFullScanBuckets to correct the bucket
calculation, step 3 will not happen and crash will not happen anymore.
Change-Id: Iab732c73cdf914549703f656be9b20fbd084d42b
1 file changed
