[WCNCR00152848] cfg80211: fix coverity issue
[Description]
Fix error handle of mtk_p2p_cfg80211_add_iface().
Fix coverity defects under os/linux/
- CID#361758 "RESOURCE_LEAK" in gl_p2p.c:1106
- CID#16301 "DEREFERENCE_BEFORE_NULL_CHECK" in gl_p2p.c:501
- CID#361764 "DEREFERENCE_BEFORE_NULL_CHECK" in gl_p2p_cfg80211.c:2540
- CID#16518 "STRUCTURALLY_DEAD_CODE" in gl_p2p_cfg80211.c:1338
- CID#15575 "MISSING_BREAK_IN_SWITCH" in gl_p2p_cfg80211.c:2497
- CID#15575 "MISSING_BREAK_IN_SWITCH" in gl_p2p_cfg80211.c:2505
- CID#70624 "DEREFERENCE_BEFORE_NULL_CHECK" in gl_p2p_kal.c:1382
- CID#76762 "UNINITIALIZED_SCALAR_VARIABLE" in gl_vendor.c:843
- CID#16364 "WRONG_SIZE_ARGUMENT" in gl_wext.c:1342
- CID#15626 "MIXING_ENUM_TYPES" in gl_wext.c:2380
- CID#15491 "MIXING_ENUM_TYPES" in gl_wext.c:2380
- CID#361736 "RESOURCE_LEAK" in gl_qa_agent.c:2376
- CID#361514 "MEMORY_CORRUPTIONS" in gl_hook_api.c:2510
- CID#361511 "MEMORY_CORRUPTIONS" in gl_qa_agent.c:2028
- CID#69918 "NULL_POINTER_DEREFERENCES" in gl_init.c:2464
- CID#16662 "UNTRUSTED_VALUE_AS_ARGUMENT" in gl_wext.c:3641
- CID#70040 "OUT_OF_BOUNDS_ACCESS" In gl_wext.c:2958
- CID#2355254 "DEADCODE" in gl_wext.c:2384,2387,2390,2393
- CID#2222643 "DEADCODE" in gl_p2p_cfg80211.c:1526
- CID#2222641 "DEADCODE" in gl_p2p_cfa80211.c:1411
Change-Id: Ieadcb2a797bec3c92bd0058233006235b744e85c
Signed-off-by: Chun Lee <chun.lee@mediatek.com>
CR-Id: WCNCR00152848
Feature: cfg80211
diff --git a/os/linux/gl_hook_api.c b/os/linux/gl_hook_api.c
index e47e203..864efa9 100644
--- a/os/linux/gl_hook_api.c
+++ b/os/linux/gl_hook_api.c
@@ -2505,6 +2505,8 @@
kalMemSet(&rAccessEfuseInfoWrite, 0, sizeof(PARAM_CUSTOM_ACCESS_EFUSE_T));
u4Index = u2Offset % EFUSE_BLOCK_SIZE;
+ if (u4Index > EFUSE_BLOCK_SIZE - 2)
+ return -EINVAL;
prGlueInfo->prAdapter->aucEepromVaule[u4Index] = u2Content;
prGlueInfo->prAdapter->aucEepromVaule[u4Index+1] = u2Content >> 8 & 0xff;
diff --git a/os/linux/gl_p2p.c b/os/linux/gl_p2p.c
index 7bbd977..c021b55 100644
--- a/os/linux/gl_p2p.c
+++ b/os/linux/gl_p2p.c
@@ -493,6 +493,10 @@
/* UINT_32 u4Idx = 0; */
ASSERT(prGlueInfo);
+ if (!prGlueInfo) {
+ DBGLOG(P2P, ERROR, "prGlueInfo error\n");
+ return FALSE;
+ }
prAdapter = prGlueInfo->prAdapter;
prWifiVar = &(prAdapter->rWifiVar);
@@ -501,9 +505,6 @@
ASSERT(prWifiVar);
do {
- if (prGlueInfo == NULL)
- break;
-
if (prGlueInfo->prP2PInfo[ucIdex] == NULL) {
/*alloc memory for p2p info */
prGlueInfo->prP2PInfo[ucIdex] = kalMemAlloc(sizeof(GL_P2P_INFO_T), VIR_MEM_TYPE);
@@ -1141,8 +1142,10 @@
}
}
- if (i == KAL_P2P_NUM)
+ if (i == KAL_P2P_NUM) {
DBGLOG(INIT, WARN, "fail to register wiphy to driver\n");
+ goto free_wiphy;
+ }
return TRUE;
diff --git a/os/linux/gl_p2p_cfg80211.c b/os/linux/gl_p2p_cfg80211.c
index 1df21c8..f83d115 100644
--- a/os/linux/gl_p2p_cfg80211.c
+++ b/os/linux/gl_p2p_cfg80211.c
@@ -311,11 +311,12 @@
do {
prGlueInfo = *((P_GLUE_INFO_T *) wiphy_priv(wiphy));
- prAdapter = prGlueInfo->prAdapter;
if (prGlueInfo == NULL)
break;
+ prAdapter = prGlueInfo->prAdapter;
+
for (u4Idx = 0; u4Idx < KAL_P2P_NUM; u4Idx++) {
if (prGlueInfo->prP2PInfo[u4Idx]->aprRoleHandler ==
prGlueInfo->prP2PInfo[u4Idx]->prDevHandler)
@@ -326,16 +327,16 @@
}
}
- /*u4Idx = 0;*/
- DBGLOG(P2P, TRACE, "mtk_p2p_cfg80211_add_iface u4Idx=%d\n", u4Idx);
-
- prP2pInfo = prGlueInfo->prP2PInfo[u4Idx];
-
if (u4Idx == KAL_P2P_NUM) {
/* Role port full. */
break;
}
+ /*u4Idx = 0;*/
+ DBGLOG(P2P, TRACE, "mtk_p2p_cfg80211_add_iface u4Idx=%d\n", u4Idx);
+
+ prP2pInfo = prGlueInfo->prP2PInfo[u4Idx];
+
DBGLOG(P2P, TRACE, "mtk_p2p_cfg80211_add_iface name = %s\n", name);
#if KERNEL_VERSION(3, 17, 0) <= CFG80211_VERSION_CODE
prNewNetDevice = alloc_netdev_mq(sizeof(NETDEV_PRIVATE_GLUE_INFO), name,
@@ -454,17 +455,20 @@
switch (type) {
case NL80211_IFTYPE_P2P_CLIENT:
DBGLOG(P2P, TRACE, "NL80211_IFTYPE_P2P_CLIENT.\n");
+ prSwitchModeMsg->eOpMode = OP_MODE_INFRASTRUCTURE;
+ kalP2PSetRole(prGlueInfo, 1, u4Idx);
+ break;
case NL80211_IFTYPE_STATION:
- if (type == NL80211_IFTYPE_STATION)
DBGLOG(P2P, TRACE, "NL80211_IFTYPE_STATION.\n");
prSwitchModeMsg->eOpMode = OP_MODE_INFRASTRUCTURE;
kalP2PSetRole(prGlueInfo, 1, u4Idx);
break;
case NL80211_IFTYPE_AP:
DBGLOG(P2P, TRACE, "NL80211_IFTYPE_AP.\n");
+ prSwitchModeMsg->eOpMode = OP_MODE_ACCESS_POINT;
kalP2PSetRole(prGlueInfo, 2, u4Idx);
+ break;
case NL80211_IFTYPE_P2P_GO:
- if (type == NL80211_IFTYPE_P2P_GO)
DBGLOG(P2P, TRACE, "NL80211_IFTYPE_P2P_GO not AP.\n");
prSwitchModeMsg->eOpMode = OP_MODE_ACCESS_POINT;
kalP2PSetRole(prGlueInfo, 2, u4Idx);
@@ -480,9 +484,23 @@
}
/* Send Msg to DevFsm and active P2P dev BSS */
- prMsgActiveBss = cnmMemAlloc(prGlueInfo->prAdapter, RAM_TYPE_MSG, sizeof(MSG_P2P_ACTIVE_DEV_BSS_T));
+ prMsgActiveBss =
+ (P_MSG_P2P_ACTIVE_DEV_BSS_T) cnmMemAlloc(prGlueInfo->prAdapter, RAM_TYPE_MSG,
+ sizeof(MSG_P2P_ACTIVE_DEV_BSS_T));
+
+ if (prMsgActiveBss == NULL) {
+ ASSERT(FALSE);
+ DBGLOG(INIT, WARN, "unable to alloc msg\n");
+ kfree(prWdev);
+ prWdev = ERR_PTR(-ENOMEM);
+ free_netdev(prGlueInfo->prP2PInfo[u4Idx]->aprRoleHandler);
+ prGlueInfo->prP2PInfo[u4Idx]->aprRoleHandler = NULL;
+ break;
+ }
+
prMsgActiveBss->rMsgHdr.eMsgId = MID_MNY_P2P_ACTIVE_BSS;
mboxSendMsg(prGlueInfo->prAdapter, MBOX_ID_0, (P_MSG_HDR_T) prMsgActiveBss, MSG_SEND_METHOD_BUF);
+
} while (FALSE);
return prWdev;
@@ -1437,8 +1455,6 @@
/* int inactivity_timeout; */
/* }; */
/* ////////////////// */
-
- return i4Rslt;
} /* mtk_p2p_cfg80211_start_ap */
#if (CFG_SUPPORT_DFS_MASTER == 1)
@@ -1481,12 +1497,9 @@
prGlueInfo->prP2PInfo[ucRoleIdx]->cac_time_ms = cac_time_ms;
- if (chandef) {
mtk_p2p_cfg80211func_channel_format_switch(chandef, chandef->chan, &rRfChnlInfo);
p2pFuncSetChannel(prGlueInfo->prAdapter, ucRoleIdx, &rRfChnlInfo);
- } else
- break;
DBGLOG(P2P, INFO, "mtk_p2p_cfg80211_start_radar_detection.(role %d)\n", ucRoleIdx);
@@ -1596,13 +1609,10 @@
memcpy(prGlueInfo->prP2PInfo[ucRoleIdx]->chandef->chan, params->chandef.chan,
sizeof(struct ieee80211_channel));
- if (params) {
mtk_p2p_cfg80211func_channel_format_switch(¶ms->chandef,
params->chandef.chan, &rRfChnlInfo);
p2pFuncSetChannel(prGlueInfo->prAdapter, ucRoleIdx, &rRfChnlInfo);
- } else
- break;
DBGLOG(P2P, INFO, "mtk_p2p_cfg80211_channel_switch.(role %d)\n", ucRoleIdx);
@@ -2642,17 +2652,20 @@
switch (type) {
case NL80211_IFTYPE_P2P_CLIENT:
DBGLOG(P2P, TRACE, "NL80211_IFTYPE_P2P_CLIENT.\n");
+ prSwitchModeMsg->eOpMode = OP_MODE_INFRASTRUCTURE;
+ kalP2PSetRole(prGlueInfo, 1, ucRoleIdx);
+ break;
case NL80211_IFTYPE_STATION:
- if (type == NL80211_IFTYPE_STATION)
DBGLOG(P2P, TRACE, "NL80211_IFTYPE_STATION.\n");
prSwitchModeMsg->eOpMode = OP_MODE_INFRASTRUCTURE;
kalP2PSetRole(prGlueInfo, 1, ucRoleIdx);
break;
case NL80211_IFTYPE_AP:
DBGLOG(P2P, TRACE, "NL80211_IFTYPE_AP.\n");
+ prSwitchModeMsg->eOpMode = OP_MODE_ACCESS_POINT;
kalP2PSetRole(prGlueInfo, 2, ucRoleIdx);
+ break;
case NL80211_IFTYPE_P2P_GO:
- if (type == NL80211_IFTYPE_P2P_GO)
DBGLOG(P2P, TRACE, "NL80211_IFTYPE_P2P_GO not AP.\n");
prSwitchModeMsg->eOpMode = OP_MODE_ACCESS_POINT;
kalP2PSetRole(prGlueInfo, 2, ucRoleIdx);
@@ -2678,13 +2691,16 @@
{
INT_32 i4Rslt = -EINVAL;
P_GLUE_INFO_T prGlueInfo = (P_GLUE_INFO_T) NULL;
+ struct net_device *dev = (struct net_device *) NULL;
RF_CHANNEL_INFO_T rRfChnlInfo;
UINT_8 ucRoleIdx = 0;
- struct net_device *dev = (struct net_device *)wiphy_dev(wiphy);
+
+ if ((wiphy == NULL) || (chandef == NULL))
+ return i4Rslt;
+
+ dev = (struct net_device *) wiphy_dev(wiphy);
do {
- if ((wiphy == NULL) || (chandef == NULL))
- break;
DBGLOG(P2P, INFO, "mtk_p2p_cfg80211_set_channel.\n");
prGlueInfo = *((P_GLUE_INFO_T *) wiphy_priv(wiphy));
diff --git a/os/linux/gl_p2p_kal.c b/os/linux/gl_p2p_kal.c
index 22a6eaf..3fe22c3 100644
--- a/os/linux/gl_p2p_kal.c
+++ b/os/linux/gl_p2p_kal.c
@@ -1394,12 +1394,15 @@
struct ieee80211_channel *kalP2pFuncGetChannelEntry(IN P_GL_P2P_INFO_T prP2pInfo, IN P_RF_CHANNEL_INFO_T prChannelInfo)
{
struct ieee80211_channel *prTargetChannelEntry = (struct ieee80211_channel *)NULL;
+ struct wiphy *wiphy = (struct wiphy *) NULL;
UINT_32 u4TblSize = 0, u4Idx = 0;
- struct wiphy *wiphy = prP2pInfo->prWdev->wiphy;
+
+ if ((prP2pInfo == NULL) || (prChannelInfo == NULL))
+ return NULL;
+
+ wiphy = prP2pInfo->prWdev->wiphy;
do {
- if ((prP2pInfo == NULL) || (prChannelInfo == NULL))
- break;
switch (prChannelInfo->eBand) {
case BAND_2G4:
diff --git a/os/linux/gl_qa_agent.c b/os/linux/gl_qa_agent.c
index a914561..990aab7 100644
--- a/os/linux/gl_qa_agent.c
+++ b/os/linux/gl_qa_agent.c
@@ -2388,7 +2388,6 @@
ResponseToQA(HqaCmdFrame, prIwReqData, 2 + Len, i4Ret);
exit:
-
kfree(Buffer);
return i4Ret;
diff --git a/os/linux/gl_vendor.c b/os/linux/gl_vendor.c
index 227cd2e..13abe5d 100644
--- a/os/linux/gl_vendor.c
+++ b/os/linux/gl_vendor.c
@@ -835,10 +835,12 @@
DBGLOG(REQ, INFO, "vendor command: data_len=%d\n", data_len);
attr = (struct nlattr *)data;
- if (attr->nla_type == WIFI_ATTRIBUTE_COUNTRY_CODE) {
+
+ if (attr->nla_type != WIFI_ATTRIBUTE_COUNTRY_CODE)
+ return -EINVAL;
+
country[0] = *((PUINT_8)nla_data(attr));
country[1] = *((PUINT_8)nla_data(attr) + 1);
- }
DBGLOG(REQ, INFO, "Set country code: %c%c\n", country[0], country[1]);
diff --git a/os/linux/gl_wext.c b/os/linux/gl_wext.c
index 2afad9c..d1f6bf2 100644
--- a/os/linux/gl_wext.c
+++ b/os/linux/gl_wext.c
@@ -1343,7 +1343,7 @@
/* } */
if (prGlueInfo->eParamMediaStateIndicated == PARAM_MEDIA_STATE_DISCONNECTED) {
- memset(prAddr, 0, 6);
+ memset(prAddr, 0, sizeof(*prAddr));
return 0;
}
@@ -2381,7 +2381,7 @@
wlanSetAcpiState(prGlueInfo->prAdapter, ePowerState);
}
- prGlueInfo->ePowerState = ePowerState;
+ prGlueInfo->ePowerState = ParamDeviceStateD0;
return ret;
} /* wext_set_txpow */
@@ -2957,7 +2957,8 @@
}
/* PN */
- memcpy(&prWpiKey->aucPN[0], &prIWEncExt->tx_seq[0], IW_ENCODE_SEQ_MAX_SIZE * 2);
+ memcpy(&prWpiKey->aucPN[0], &prIWEncExt->tx_seq[0], IW_ENCODE_SEQ_MAX_SIZE);
+ memcpy(&prWpiKey->aucPN[8], &prIWEncExt->rx_seq[0], IW_ENCODE_SEQ_MAX_SIZE);
/* BSSID */
memcpy(prWpiKey->aucAddrIndex, prIWEncExt->addr.sa_data, 6);
@@ -3115,6 +3116,12 @@
memcpy(((PUINT_8) prKey->aucKeyMaterial) + 16, prIWEncExt->key + 24, 8);
memcpy((prKey->aucKeyMaterial) + 24, prIWEncExt->key + 16, 8);
} else {
+ /* aucKeyMaterial is defined as a 32-elements array */
+ if (prIWEncExt->key_len > 32) {
+ DBGLOG(REQ, ERROR, "prIWEncExt->key_len: %d is too long!\n",
+ prIWEncExt->key_len);
+ return -EFAULT;
+ }
memcpy(prKey->aucKeyMaterial, prIWEncExt->key, prIWEncExt->key_len);
}
@@ -3622,13 +3629,19 @@
case SIOCSIWENCODEEXT: /* 0x8B34, set extended encoding token & mode */
if (iwr->u.encoding.pointer) {
u4ExtraSize = iwr->u.encoding.length;
+
+ if (u4ExtraSize > sizeof(struct iw_encode_ext)) {
+ ret = -EINVAL;
+ break;
+ }
+
prExtraBuf = kalMemAlloc(u4ExtraSize, VIR_MEM_TYPE);
if (!prExtraBuf) {
ret = -ENOMEM;
break;
}
- if (copy_from_user(prExtraBuf, iwr->u.encoding.pointer, iwr->u.encoding.length))
+ if (copy_from_user(prExtraBuf, iwr->u.encoding.pointer, u4ExtraSize))
ret = -EFAULT;
} else if (iwr->u.encoding.length != 0) {
ret = -EINVAL;
