[DTV00857290][[DTV][Coverity Scanned Code Defect] 15367: Out-of-bounds write]
[Description]
Fix coverity defects under mgmt/
i. Fix "dereference before null check" issues.
ii. Remove do-while style flow.
[Related CIDs]
CID70640, CID70639, CID70637
Change-Id: Id046d58a02a7ab0ea211048217e78c1900d6eddb
Signed-off-by: Awk Jiang <awk.jiang@mediatek.com>
CR-Id: DTV00857290
Feature: misc
(cherry picked from commit 93fd3e42a7bc812a69cb7e2d449a53dc9316c30a)
diff --git a/mgmt/p2p_dev_fsm.c b/mgmt/p2p_dev_fsm.c
index 40230e7..279f11b 100644
--- a/mgmt/p2p_dev_fsm.c
+++ b/mgmt/p2p_dev_fsm.c
@@ -709,89 +709,87 @@
P_P2P_CHNL_REQ_INFO_T prP2pChnlReqInfo = (P_P2P_CHNL_REQ_INFO_T) NULL;
P_P2P_MGMT_TX_REQ_INFO_T prP2pMgmtTxReqInfo = (P_P2P_MGMT_TX_REQ_INFO_T) NULL;
- do {
- ASSERT_BREAK((prAdapter != NULL) && (prMsgHdr != NULL));
+ prMgmtTxMsg = (P_MSG_P2P_MGMT_TX_REQUEST_T) prMsgHdr;
- prMgmtTxMsg = (P_MSG_P2P_MGMT_TX_REQUEST_T) prMsgHdr;
+ if ((prMgmtTxMsg->ucBssIdx != P2P_DEV_BSS_INDEX) && (IS_NET_ACTIVE(prAdapter, prMgmtTxMsg->ucBssIdx))) {
+ DBGLOG(P2P, TRACE, " Role Interface\n");
+ p2pFuncTxMgmtFrame(prAdapter,
+ prMgmtTxMsg->ucBssIdx,
+ prMgmtTxMsg->prMgmtMsduInfo, prMgmtTxMsg->fgNoneCckRate);
+ goto error;
+ }
- if ((prMgmtTxMsg->ucBssIdx != P2P_DEV_BSS_INDEX) && (IS_NET_ACTIVE(prAdapter, prMgmtTxMsg->ucBssIdx))) {
- DBGLOG(P2P, TRACE, " Role Interface\n");
- p2pFuncTxMgmtFrame(prAdapter,
- prMgmtTxMsg->ucBssIdx,
- prMgmtTxMsg->prMgmtMsduInfo, prMgmtTxMsg->fgNoneCckRate);
- break;
+ DBGLOG(P2P, TRACE, " Device Interface\n");
+ DBGLOG(P2P, STATE, "p2pDevFsmRunEventMgmtTx\n");
+
+ prMgmtTxMsg->ucBssIdx = P2P_DEV_BSS_INDEX;
+
+ prP2pDevFsmInfo = prAdapter->rWifiVar.prP2pDevFsmInfo;
+
+ if (prP2pDevFsmInfo == NULL) {
+ DBGLOG(P2P, ERROR, "prP2pDevFsmInfo is NULL!\n");
+ goto error;
+ }
+
+ prP2pChnlReqInfo = &(prP2pDevFsmInfo->rChnlReqInfo);
+ prP2pMgmtTxReqInfo = &(prP2pDevFsmInfo->rMgmtTxInfo);
+
+ if ((!prMgmtTxMsg->fgIsOffChannel) ||
+ ((prP2pDevFsmInfo->eCurrentState == P2P_DEV_STATE_OFF_CHNL_TX) &&
+ (LINK_IS_EMPTY(&prP2pMgmtTxReqInfo->rP2pTxReqLink)))) {
+ p2pFuncTxMgmtFrame(prAdapter,
+ prP2pDevFsmInfo->ucBssIndex,
+ prMgmtTxMsg->prMgmtMsduInfo, prMgmtTxMsg->fgNoneCckRate);
+ } else {
+ P_P2P_OFF_CHNL_TX_REQ_INFO_T prOffChnlTxReq = (P_P2P_OFF_CHNL_TX_REQ_INFO_T) NULL;
+
+ prOffChnlTxReq = cnmMemAlloc(prAdapter, RAM_TYPE_MSG, sizeof(P2P_OFF_CHNL_TX_REQ_INFO_T));
+
+ if (prOffChnlTxReq == NULL) {
+ DBGLOG(P2P, ERROR, "Can not serve TX request due to MSG buffer not enough\n");
+ ASSERT(FALSE);
+ goto error;
}
- DBGLOG(P2P, TRACE, " Device Interface\n");
- DBGLOG(P2P, STATE, "p2pDevFsmRunEventMgmtTx\n");
+ prOffChnlTxReq->prMgmtTxMsdu = prMgmtTxMsg->prMgmtMsduInfo;
+ prOffChnlTxReq->fgNoneCckRate = prMgmtTxMsg->fgNoneCckRate;
+ kalMemCopy(&prOffChnlTxReq->rChannelInfo, &prMgmtTxMsg->rChannelInfo,
+ sizeof(RF_CHANNEL_INFO_T));
+ prOffChnlTxReq->eChnlExt = prMgmtTxMsg->eChnlExt;
+ prOffChnlTxReq->fgIsWaitRsp = prMgmtTxMsg->fgIsWaitRsp;
- prMgmtTxMsg->ucBssIdx = P2P_DEV_BSS_INDEX;
+ LINK_INSERT_TAIL(&prP2pMgmtTxReqInfo->rP2pTxReqLink, &prOffChnlTxReq->rLinkEntry);
- prP2pDevFsmInfo = prAdapter->rWifiVar.prP2pDevFsmInfo;
+ /* Channel Request if needed. */
+ if (prP2pDevFsmInfo->eCurrentState != P2P_DEV_STATE_OFF_CHNL_TX) {
+ P_MSG_P2P_CHNL_REQUEST_T prP2pMsgChnlReq = (P_MSG_P2P_CHNL_REQUEST_T) NULL;
- if (prP2pDevFsmInfo == NULL)
- break;
+ prP2pMsgChnlReq = cnmMemAlloc(prAdapter, RAM_TYPE_MSG, sizeof(MSG_P2P_CHNL_REQUEST_T));
- prP2pChnlReqInfo = &(prP2pDevFsmInfo->rChnlReqInfo);
- prP2pMgmtTxReqInfo = &(prP2pDevFsmInfo->rMgmtTxInfo);
-
- if ((!prMgmtTxMsg->fgIsOffChannel) ||
- ((prP2pDevFsmInfo->eCurrentState == P2P_DEV_STATE_OFF_CHNL_TX) &&
- (LINK_IS_EMPTY(&prP2pMgmtTxReqInfo->rP2pTxReqLink)))) {
- p2pFuncTxMgmtFrame(prAdapter,
- prP2pDevFsmInfo->ucBssIndex,
- prMgmtTxMsg->prMgmtMsduInfo, prMgmtTxMsg->fgNoneCckRate);
- } else {
- P_P2P_OFF_CHNL_TX_REQ_INFO_T prOffChnlTxReq = (P_P2P_OFF_CHNL_TX_REQ_INFO_T) NULL;
-
- prOffChnlTxReq = cnmMemAlloc(prAdapter, RAM_TYPE_MSG, sizeof(P2P_OFF_CHNL_TX_REQ_INFO_T));
-
- if (prOffChnlTxReq == NULL) {
- DBGLOG(P2P, ERROR, "Can not serve TX request due to MSG buffer not enough\n");
+ if (prP2pMsgChnlReq == NULL) {
+ cnmMemFree(prAdapter, prOffChnlTxReq);
ASSERT(FALSE);
- break;
+ DBGLOG(P2P, ERROR, "Not enough MSG buffer for channel request\n");
+ goto error;
}
- prOffChnlTxReq->prMgmtTxMsdu = prMgmtTxMsg->prMgmtMsduInfo;
- prOffChnlTxReq->fgNoneCckRate = prMgmtTxMsg->fgNoneCckRate;
- kalMemCopy(&prOffChnlTxReq->rChannelInfo, &prMgmtTxMsg->rChannelInfo,
- sizeof(RF_CHANNEL_INFO_T));
- prOffChnlTxReq->eChnlExt = prMgmtTxMsg->eChnlExt;
- prOffChnlTxReq->fgIsWaitRsp = prMgmtTxMsg->fgIsWaitRsp;
+ prP2pMsgChnlReq->eChnlReqType = CH_REQ_TYPE_OFFCHNL_TX;
- LINK_INSERT_TAIL(&prP2pMgmtTxReqInfo->rP2pTxReqLink, &prOffChnlTxReq->rLinkEntry);
+ /* Not used in TX OFFCHNL REQ fields. */
+ prP2pMsgChnlReq->rMsgHdr.eMsgId = MID_MNY_P2P_CHNL_REQ;
+ prP2pMsgChnlReq->u8Cookie = 0;
+ prP2pMsgChnlReq->u4Duration = P2P_OFF_CHNL_TX_DEFAULT_TIME_MS;
- /* Channel Request if needed. */
- if (prP2pDevFsmInfo->eCurrentState != P2P_DEV_STATE_OFF_CHNL_TX) {
- P_MSG_P2P_CHNL_REQUEST_T prP2pMsgChnlReq = (P_MSG_P2P_CHNL_REQUEST_T) NULL;
+ kalMemCopy(&prP2pMsgChnlReq->rChannelInfo,
+ &prMgmtTxMsg->rChannelInfo, sizeof(RF_CHANNEL_INFO_T));
+ prP2pMsgChnlReq->eChnlSco = prMgmtTxMsg->eChnlExt;
- prP2pMsgChnlReq = cnmMemAlloc(prAdapter, RAM_TYPE_MSG, sizeof(MSG_P2P_CHNL_REQUEST_T));
-
- if (prP2pMsgChnlReq == NULL) {
- cnmMemFree(prAdapter, prOffChnlTxReq);
- ASSERT(FALSE);
- DBGLOG(P2P, ERROR, "Not enough MSG buffer for channel request\n");
- break;
- }
-
- prP2pMsgChnlReq->eChnlReqType = CH_REQ_TYPE_OFFCHNL_TX;
-
- /* Not used in TX OFFCHNL REQ fields. */
- prP2pMsgChnlReq->rMsgHdr.eMsgId = MID_MNY_P2P_CHNL_REQ;
- prP2pMsgChnlReq->u8Cookie = 0;
- prP2pMsgChnlReq->u4Duration = P2P_OFF_CHNL_TX_DEFAULT_TIME_MS;
-
- kalMemCopy(&prP2pMsgChnlReq->rChannelInfo,
- &prMgmtTxMsg->rChannelInfo, sizeof(RF_CHANNEL_INFO_T));
- prP2pMsgChnlReq->eChnlSco = prMgmtTxMsg->eChnlExt;
-
- p2pDevFsmRunEventChannelRequest(prAdapter, (P_MSG_HDR_T) prP2pMsgChnlReq);
- }
+ p2pDevFsmRunEventChannelRequest(prAdapter, (P_MSG_HDR_T) prP2pMsgChnlReq);
}
- } while (FALSE);
+ }
- if (prMsgHdr)
- cnmMemFree(prAdapter, prMsgHdr);
+error:
+ cnmMemFree(prAdapter, prMsgHdr);
} /* p2pDevFsmRunEventMgmtTx */
WLAN_STATUS
diff --git a/mgmt/p2p_fsm.c b/mgmt/p2p_fsm.c
index 76ebf5b..a31ad3b 100644
--- a/mgmt/p2p_fsm.c
+++ b/mgmt/p2p_fsm.c
@@ -210,31 +210,26 @@
{
P_MSG_P2P_MGMT_FRAME_UPDATE_T prP2pMgmtFrameUpdateMsg = (P_MSG_P2P_MGMT_FRAME_UPDATE_T) NULL;
- do {
- ASSERT_BREAK((prAdapter != NULL) && (prMsgHdr != NULL));
+ DBGLOG(P2P, TRACE, "p2pFsmRunEventUpdateMgmtFrame\n");
- DBGLOG(P2P, TRACE, "p2pFsmRunEventUpdateMgmtFrame\n");
+ prP2pMgmtFrameUpdateMsg = (P_MSG_P2P_MGMT_FRAME_UPDATE_T) prMsgHdr;
- prP2pMgmtFrameUpdateMsg = (P_MSG_P2P_MGMT_FRAME_UPDATE_T) prMsgHdr;
+ switch (prP2pMgmtFrameUpdateMsg->eBufferType) {
+ case ENUM_FRAME_TYPE_EXTRA_IE_BEACON:
+ break;
+ case ENUM_FRAME_TYPE_EXTRA_IE_ASSOC_RSP:
+ break;
+ case ENUM_FRAME_TYPE_EXTRA_IE_PROBE_RSP:
+ break;
+ case ENUM_FRAME_TYPE_PROBE_RSP_TEMPLATE:
+ break;
+ case ENUM_FRAME_TYPE_BEACON_TEMPLATE:
+ break;
+ default:
+ break;
+ }
- switch (prP2pMgmtFrameUpdateMsg->eBufferType) {
- case ENUM_FRAME_TYPE_EXTRA_IE_BEACON:
- break;
- case ENUM_FRAME_TYPE_EXTRA_IE_ASSOC_RSP:
- break;
- case ENUM_FRAME_TYPE_EXTRA_IE_PROBE_RSP:
- break;
- case ENUM_FRAME_TYPE_PROBE_RSP_TEMPLATE:
- break;
- case ENUM_FRAME_TYPE_BEACON_TEMPLATE:
- break;
- default:
- break;
- }
- } while (FALSE);
-
- if (prMsgHdr)
- cnmMemFree(prAdapter, prMsgHdr);
+ cnmMemFree(prAdapter, prMsgHdr);
} /* p2pFsmRunEventUpdateMgmtFrame */
#if CFG_SUPPORT_WFD
@@ -294,40 +289,36 @@
P_MSG_SCN_SCAN_DONE prScanDoneMsg = (P_MSG_SCN_SCAN_DONE) NULL;
P_BSS_INFO_T prP2pBssInfo = (P_BSS_INFO_T) NULL;
- do {
- ASSERT_BREAK((prAdapter != NULL) && (prMsgHdr != NULL));
+ prScanDoneMsg = (P_MSG_SCN_SCAN_DONE) prMsgHdr;
- prScanDoneMsg = (P_MSG_SCN_SCAN_DONE) prMsgHdr;
+ prP2pBssInfo = GET_BSS_INFO_BY_INDEX(prAdapter, prScanDoneMsg->ucBssIndex);
- prP2pBssInfo = GET_BSS_INFO_BY_INDEX(prAdapter, prScanDoneMsg->ucBssIndex);
+ if (prAdapter->fgIsP2PRegistered == FALSE) {
+ DBGLOG(P2P, TRACE, "P2P BSS Info is removed, break p2pFsmRunEventScanDone\n");
- if (prAdapter->fgIsP2PRegistered == FALSE) {
- DBGLOG(P2P, TRACE, "P2P BSS Info is removed, break p2pFsmRunEventScanDone\n");
+ if (prMsgHdr)
+ cnmMemFree(prAdapter, prMsgHdr);
+ return;
+ }
- if (prMsgHdr)
- cnmMemFree(prAdapter, prMsgHdr);
- break;
- }
+ DBGLOG(P2P, TRACE, "P2P Scan Done Event\n");
- DBGLOG(P2P, TRACE, "P2P Scan Done Event\n");
-
- switch (prP2pBssInfo->eCurrentOPMode) {
- case OP_MODE_P2P_DEVICE:
- ASSERT(prP2pBssInfo->ucBssIndex == P2P_DEV_BSS_INDEX);
- p2pDevFsmRunEventScanDone(prAdapter, prMsgHdr, prAdapter->rWifiVar.prP2pDevFsmInfo);
- break;
- case OP_MODE_INFRASTRUCTURE:
- case OP_MODE_ACCESS_POINT:
- ASSERT(prP2pBssInfo->ucBssIndex < P2P_DEV_BSS_INDEX);
- p2pRoleFsmRunEventScanDone(prAdapter, prMsgHdr,
- P2P_ROLE_INDEX_2_ROLE_FSM_INFO(prAdapter,
- prP2pBssInfo->u4PrivateData));
- break;
- default:
- ASSERT(FALSE);
- break;
- }
- } while (FALSE);
+ switch (prP2pBssInfo->eCurrentOPMode) {
+ case OP_MODE_P2P_DEVICE:
+ ASSERT(prP2pBssInfo->ucBssIndex == P2P_DEV_BSS_INDEX);
+ p2pDevFsmRunEventScanDone(prAdapter, prMsgHdr, prAdapter->rWifiVar.prP2pDevFsmInfo);
+ break;
+ case OP_MODE_INFRASTRUCTURE:
+ case OP_MODE_ACCESS_POINT:
+ ASSERT(prP2pBssInfo->ucBssIndex < P2P_DEV_BSS_INDEX);
+ p2pRoleFsmRunEventScanDone(prAdapter, prMsgHdr,
+ P2P_ROLE_INDEX_2_ROLE_FSM_INFO(prAdapter,
+ prP2pBssInfo->u4PrivateData));
+ break;
+ default:
+ ASSERT(FALSE);
+ break;
+ }
} /* p2pFsmRunEventScanDone */
