[DTV00857290][[DTV][Coverity Scanned Code Defect] 15367: Out-of-bounds write]
[Description]
Fix coverity defects under nic/nic_cmd_event.c
Fix Explicit null dereferenced
- Cid#361486 in line 266
- Cid#361485 in line 357
- Cid#361484 in line 393
- Cid#361483 in line 430
Checkout Null point.
Fix Out-of-bounds access
- Cid#361518 in line 1477
- Cid#361519 in line 1483
- Cid#361853 in line 1491
- Cid#361854 in line 1497
- Cid#361768 in line 1483
Change size of array 'aucPathWF0', 'aucPathWF1', 'aucPathRAWWF0',
and 'aucPathRAWWF1' into 256.
Fix Dereference before null check
- Cid#2190615 in line 2251.
Fix ARRAY_VS_SINGLETON
- Cid#361461 in line 1523.
Fix Resource leak
- Cid#2355223, Cid#2355224, Cid#2355225, Cid#2355227 in line 1541.
free memory before return.
Change-Id: I2c3c87be28152f1faa877e643bed04de82da7b66
Signed-off-by: Alice Ou <alice.ou@mediatek.com>
(cherry picked from commit 8771f9ad7e80ae68d247b2f1125bd5d9135b0259)
CR-Id: DTV00857290
(cherry picked from commit 030a6391054b5e25539e0c4028f549dcbeec8eb4)
(cherry picked from commit dd7cbf95fab4aa7663237d04fe42a50e854a6a59)
diff --git a/nic/nic_cmd_event.c b/nic/nic_cmd_event.c
index 680f4a5..f7d5398 100644
--- a/nic/nic_cmd_event.c
+++ b/nic/nic_cmd_event.c
@@ -245,22 +245,34 @@
ASSERT(prCmdInfo);
ASSERT(pucEventBuf);
- /* 4 <2> Update information of OID */
- if (prCmdInfo->fgIsOid) {
- prGlueInfo = prAdapter->prGlueInfo;
- prEventPfmuTagRead = (P_EVENT_PFMU_TAG_READ_T) (pucEventBuf);
-
- prPfumTagRead = (P_PARAM_CUSTOM_PFMU_TAG_READ_STRUCT_T) prCmdInfo->pvInformationBuffer;
-
- kalMemCopy(prPfumTagRead, prEventPfmuTagRead, sizeof(EVENT_PFMU_TAG_READ_T));
-
- u4QueryInfoLen = sizeof(CMD_TXBF_ACTION_T);
-
- g_rPfmuTag1 = prPfumTagRead->ru4TxBfPFMUTag1;
- g_rPfmuTag2 = prPfumTagRead->ru4TxBfPFMUTag2;
-
- kalOidComplete(prGlueInfo, prCmdInfo->fgSetQuery, u4QueryInfoLen, WLAN_STATUS_SUCCESS);
+ if (!pucEventBuf) {
+ DBGLOG(INIT, ERROR, "pucEventBuf is NULL.\n");
+ return;
}
+ if (!prCmdInfo->pvInformationBuffer) {
+ DBGLOG(INIT, ERROR, "prCmdInfo->pvInformationBuffer is NULL.\n");
+ return;
+ }
+ /* 4 <2> Update information of OID */
+ if (!prCmdInfo->fgIsOid) {
+ DBGLOG(INIT, ERROR, "cmd %u seq #%u not oid!",
+ prCmdInfo->ucCID, prCmdInfo->ucCmdSeqNum);
+ return;
+ }
+ prGlueInfo = prAdapter->prGlueInfo;
+ prEventPfmuTagRead = (P_EVENT_PFMU_TAG_READ_T) (pucEventBuf);
+
+ prPfumTagRead = (P_PARAM_CUSTOM_PFMU_TAG_READ_STRUCT_T) prCmdInfo->pvInformationBuffer;
+
+ kalMemCopy(prPfumTagRead, prEventPfmuTagRead, sizeof(EVENT_PFMU_TAG_READ_T));
+
+ u4QueryInfoLen = sizeof(CMD_TXBF_ACTION_T);
+
+ g_rPfmuTag1 = prPfumTagRead->ru4TxBfPFMUTag1;
+ g_rPfmuTag2 = prPfumTagRead->ru4TxBfPFMUTag2;
+
+ kalOidComplete(prGlueInfo, prCmdInfo->fgSetQuery, u4QueryInfoLen, WLAN_STATUS_SUCCESS);
+
DBGLOG(INIT, INFO, "========================== (R)Tag1 info ==========================\n");
DBGLOG(INIT, INFO, " Row data0 : %x, Row data1 : %x, Row data2 : %x, Row data3 : %x\n",
@@ -336,23 +348,33 @@
ASSERT(prAdapter);
ASSERT(prCmdInfo);
ASSERT(pucEventBuf);
-
- /* 4 <2> Update information of OID */
- if (prCmdInfo->fgIsOid) {
- prGlueInfo = prAdapter->prGlueInfo;
- prEventHqaGetQd = (P_EVENT_HQA_GET_QD) (pucEventBuf);
-
- prGetQd = (P_PARAM_CUSTOM_GET_QD_STRUCT_T) prCmdInfo->pvInformationBuffer;
-
- kalMemCopy(prGetQd, prEventHqaGetQd, sizeof(EVENT_HQA_GET_QD));
-
- u4QueryInfoLen = sizeof(CMD_MUMIMO_ACTION_T);
-
- /* g_rPfmuTag1 = prPfumTagRead->ru4TxBfPFMUTag1; */
- /* g_rPfmuTag2 = prPfumTagRead->ru4TxBfPFMUTag2; */
-
- kalOidComplete(prGlueInfo, prCmdInfo->fgSetQuery, u4QueryInfoLen, WLAN_STATUS_SUCCESS);
+ if (!pucEventBuf) {
+ DBGLOG(INIT, ERROR, "pucEventBuf is NULL.\n");
+ return;
}
+ if (!prCmdInfo->pvInformationBuffer) {
+ DBGLOG(INIT, ERROR, "prCmdInfo->pvInformationBuffer is NULL.\n");
+ return;
+ }
+ /* 4 <2> Update information of OID */
+ if (!prCmdInfo->fgIsOid) {
+ DBGLOG(INIT, ERROR, "cmd %u seq #%u not oid!\n",
+ prCmdInfo->ucCID, prCmdInfo->ucCmdSeqNum);
+ return;
+ }
+ prGlueInfo = prAdapter->prGlueInfo;
+ prEventHqaGetQd = (P_EVENT_HQA_GET_QD) (pucEventBuf);
+
+ prGetQd = (P_PARAM_CUSTOM_GET_QD_STRUCT_T) prCmdInfo->pvInformationBuffer;
+
+ kalMemCopy(prGetQd, prEventHqaGetQd, sizeof(EVENT_HQA_GET_QD));
+
+ u4QueryInfoLen = sizeof(CMD_MUMIMO_ACTION_T);
+
+ /* g_rPfmuTag1 = prPfumTagRead->ru4TxBfPFMUTag1; */
+ /* g_rPfmuTag2 = prPfumTagRead->ru4TxBfPFMUTag2; */
+
+ kalOidComplete(prGlueInfo, prCmdInfo->fgSetQuery, u4QueryInfoLen, WLAN_STATUS_SUCCESS);
DBGLOG(INIT, INFO, " event id : %x\n", prGetQd->u4EventId);
for (i = 0; i < 14; i++)
@@ -372,23 +394,34 @@
ASSERT(prAdapter);
ASSERT(prCmdInfo);
ASSERT(pucEventBuf);
-
- /* 4 <2> Update information of OID */
- if (prCmdInfo->fgIsOid) {
- prGlueInfo = prAdapter->prGlueInfo;
- prEventHqaGetMuCalcLq = (P_EVENT_HQA_GET_MU_CALC_LQ) (pucEventBuf);
-
- prGetMuCalcLq = (P_PARAM_CUSTOM_GET_MU_CALC_LQ_STRUCT_T) prCmdInfo->pvInformationBuffer;
-
- kalMemCopy(prGetMuCalcLq, prEventHqaGetMuCalcLq, sizeof(EVENT_HQA_GET_MU_CALC_LQ));
-
- u4QueryInfoLen = sizeof(CMD_MUMIMO_ACTION_T);
-
- /* g_rPfmuTag1 = prPfumTagRead->ru4TxBfPFMUTag1; */
- /* g_rPfmuTag2 = prPfumTagRead->ru4TxBfPFMUTag2; */
-
- kalOidComplete(prGlueInfo, prCmdInfo->fgSetQuery, u4QueryInfoLen, WLAN_STATUS_SUCCESS);
+ if (!pucEventBuf) {
+ DBGLOG(INIT, ERROR, "pucEventBuf is NULL.\n");
+ return;
}
+ if (!prCmdInfo->pvInformationBuffer) {
+ DBGLOG(INIT, ERROR, "prCmdInfo->pvInformationBuffer is NULL.\n");
+ return;
+ }
+ /* 4 <2> Update information of OID */
+ if (!prCmdInfo->fgIsOid) {
+ DBGLOG(INIT, ERROR, "cmd %u seq #%u not oid!\n",
+ prCmdInfo->ucCID, prCmdInfo->ucCmdSeqNum);
+ return;
+ }
+ prGlueInfo = prAdapter->prGlueInfo;
+ prEventHqaGetMuCalcLq = (P_EVENT_HQA_GET_MU_CALC_LQ) (pucEventBuf);
+
+ prGetMuCalcLq = (P_PARAM_CUSTOM_GET_MU_CALC_LQ_STRUCT_T) prCmdInfo->pvInformationBuffer;
+
+ kalMemCopy(prGetMuCalcLq, prEventHqaGetMuCalcLq, sizeof(EVENT_HQA_GET_MU_CALC_LQ));
+
+ u4QueryInfoLen = sizeof(CMD_MUMIMO_ACTION_T);
+
+ /* g_rPfmuTag1 = prPfumTagRead->ru4TxBfPFMUTag1; */
+ /* g_rPfmuTag2 = prPfumTagRead->ru4TxBfPFMUTag2; */
+
+ kalOidComplete(prGlueInfo, prCmdInfo->fgSetQuery, u4QueryInfoLen, WLAN_STATUS_SUCCESS);
+
DBGLOG(INIT, INFO, " event id : %x\n", prGetMuCalcLq->u4EventId);
for (i = 0; i < NUM_OF_USER; i++)
@@ -408,23 +441,34 @@
ASSERT(prAdapter);
ASSERT(prCmdInfo);
ASSERT(pucEventBuf);
-
- /* 4 <2> Update information of OID */
- if (prCmdInfo->fgIsOid) {
- prGlueInfo = prAdapter->prGlueInfo;
- prEventShowGroupTblEntry = (P_EVENT_SHOW_GROUP_TBL_ENTRY) (pucEventBuf);
-
- prShowGroupTbl = (P_PARAM_CUSTOM_SHOW_GROUP_TBL_ENTRY_STRUCT_T) prCmdInfo->pvInformationBuffer;
-
- kalMemCopy(prShowGroupTbl, prEventShowGroupTblEntry, sizeof(EVENT_SHOW_GROUP_TBL_ENTRY));
-
- u4QueryInfoLen = sizeof(CMD_MUMIMO_ACTION_T);
-
- /* g_rPfmuTag1 = prPfumTagRead->ru4TxBfPFMUTag1; */
- /* g_rPfmuTag2 = prPfumTagRead->ru4TxBfPFMUTag2; */
-
- kalOidComplete(prGlueInfo, prCmdInfo->fgSetQuery, u4QueryInfoLen, WLAN_STATUS_SUCCESS);
+ if (!pucEventBuf) {
+ DBGLOG(INIT, ERROR, "pucEventBuf is NULL.\n");
+ return;
}
+ if (!prCmdInfo->pvInformationBuffer) {
+ DBGLOG(INIT, ERROR, "prCmdInfo->pvInformationBuffer is NULL.\n");
+ return;
+ }
+ /* 4 <2> Update information of OID */
+ if (!prCmdInfo->fgIsOid) {
+ DBGLOG(INIT, ERROR, "cmd %u seq #%u not oid!\n",
+ prCmdInfo->ucCID, prCmdInfo->ucCmdSeqNum);
+ return;
+ }
+ prGlueInfo = prAdapter->prGlueInfo;
+ prEventShowGroupTblEntry = (P_EVENT_SHOW_GROUP_TBL_ENTRY) (pucEventBuf);
+
+ prShowGroupTbl = (P_PARAM_CUSTOM_SHOW_GROUP_TBL_ENTRY_STRUCT_T) prCmdInfo->pvInformationBuffer;
+
+ kalMemCopy(prShowGroupTbl, prEventShowGroupTblEntry, sizeof(EVENT_SHOW_GROUP_TBL_ENTRY));
+
+ u4QueryInfoLen = sizeof(CMD_MUMIMO_ACTION_T);
+
+ /* g_rPfmuTag1 = prPfumTagRead->ru4TxBfPFMUTag1; */
+ /* g_rPfmuTag2 = prPfumTagRead->ru4TxBfPFMUTag2; */
+
+ kalOidComplete(prGlueInfo, prCmdInfo->fgSetQuery, u4QueryInfoLen, WLAN_STATUS_SUCCESS);
+
DBGLOG(INIT, INFO, "========================== (R)Group table info ==========================\n");
DBGLOG(INIT, INFO, " event id : %x\n", prEventShowGroupTblEntry->u4EventId);
@@ -1474,13 +1518,13 @@
sprintf(aucPathWF0, "/dump_out_%05ld_WF0.txt", g_u2DumpIndex);
sprintf(aucPathWF1, "/dump_out_%05ld_WF1.txt", g_u2DumpIndex);
if (kalCheckPath(aucPathWF0) == -1) {
- kalMemSet(aucPathWF0, 0x00, 256);
+ kalMemSet(aucPathWF0, 0x00, sizeof(aucPathWF0));
sprintf(aucPathWF0, "/data/dump_out_%05ld_WF0.txt", g_u2DumpIndex);
} else
kalTrunkPath(aucPathWF0);
if (kalCheckPath(aucPathWF1) == -1) {
- kalMemSet(aucPathWF1, 0x00, 256);
+ kalMemSet(aucPathWF1, 0x00, sizeof(aucPathWF1));
sprintf(aucPathWF1, "/data/dump_out_%05ld_WF1.txt", g_u2DumpIndex);
} else
kalTrunkPath(aucPathWF1);
@@ -1488,13 +1532,13 @@
sprintf(aucPathRAWWF0, "/dump_RAW_%05ld_WF0.txt", g_u2DumpIndex);
sprintf(aucPathRAWWF1, "/dump_RAW_%05ld_WF1.txt", g_u2DumpIndex);
if (kalCheckPath(aucPathRAWWF0) == -1) {
- kalMemSet(aucPathRAWWF0, 0x00, 256);
+ kalMemSet(aucPathRAWWF0, 0x00, sizeof(aucPathRAWWF0));
sprintf(aucPathRAWWF0, "/data/dump_RAW_%05ld_WF0.txt", g_u2DumpIndex);
} else
kalTrunkPath(aucPathRAWWF0);
if (kalCheckPath(aucPathRAWWF1) == -1) {
- kalMemSet(aucPathRAWWF1, 0x00, 256);
+ kalMemSet(aucPathRAWWF1, 0x00, sizeof(aucPathRAWWF1));
sprintf(aucPathRAWWF1, "/data/dump_RAW_%05ld_WF1.txt", g_u2DumpIndex);
} else
kalTrunkPath(aucPathRAWWF1);
@@ -1520,6 +1564,17 @@
/* 4 bytes : 12 bytes */
u4CpyLen = (u4RemainByte - u4FmtLen >= 0) ? u4FmtLen : u4RemainByte;
+ if ((ucDstOffset + u4CpyLen) > sizeof(icapBusData)) {
+ DBGLOG(INIT, ERROR,
+ "ucDstOffset(%u) + u4CpyLen(%u) exceed bound of icapBusData\n",
+ ucDstOffset, u4CpyLen);
+ kfree(pucDataWF0);
+ kfree(pucDataWF1);
+ kfree(pucDataRAWWF0);
+ kfree(pucDataRAWWF1);
+ ASSERT(-1);
+ return -1;
+ }
memcpy(&icapBusData + ucDstOffset, &prEventDumpMem->aucBuffer[0] + u4SrcOffset, u4CpyLen);
#if 0
if (prEventDumpMem->eIcapContent == ICAP_CONTENT_ADC) {
@@ -2244,13 +2299,17 @@
ASSERT(prAdapter);
ASSERT(prCmdInfo);
+ if (!pucEventBuf) {
+ DBGLOG(REQ, ERROR, "pucEventBuf is null.\n");
+ return;
+ }
hdr = (P_CMD_ADV_CONFIG_HEADER_T) pucEventBuf;
DBGLOG(REQ, LOUD, "%s type %x len %d>\n", __func__, hdr->u2Type, hdr->u2Len);
if (prCmdInfo->fgIsOid) {
prGlueInfo = prAdapter->prGlueInfo;
query_len = hdr->u2Len;
query = prCmdInfo->pvInformationBuffer;
- if (hdr && query && (query_len == prCmdInfo->u4InformationBufferLength))
+ if (query && (query_len == prCmdInfo->u4InformationBufferLength))
kalMemCopy(query, hdr, query_len);
else
DBGLOG(REQ, LOUD, "%s type %x, len %d != buflen %d>\n"