From e6f1a85f585b9c427a95d402943ad5d5ee082086 Mon Sep 17 00:00:00 2001
From: Filip Matusiak <filip.matusiak@iopsys.eu>
Date: Tue, 1 Mar 2022 15:14:55 +0100
Subject: [PATCH] map-agent: safeguard reallocate for possible memleaks

---
 src/agent.c      | 12 ++++++++----
 src/agent_cmdu.c |  3 +--
 src/agent_map.c  | 11 +++++------
 3 files changed, 14 insertions(+), 12 deletions(-)

diff --git a/src/agent.c b/src/agent.c
index fc2e12c82..b9fe375ab 100644
--- a/src/agent.c
+++ b/src/agent.c
@@ -4899,6 +4899,7 @@ static void parse_ap_stats(struct ubus_request *req, int type,
 	int bss_index;
 	struct wifi_radio_element *radio;
 	struct wifi_bss_element *bss;
+	struct wifi_bss_element *bsslist;
 	struct netif_fh *fh = (struct netif_fh *)req->priv;
 	struct blob_attr *tb[6];
 	static const struct blobmsg_policy ap_stats_attr[6] = {
@@ -4915,10 +4916,13 @@ static void parse_ap_stats(struct ubus_request *req, int type,
 	if (!radio)
 		return;
 
-	radio->num_bss++;
-	radio->bsslist = (struct wifi_bss_element *)realloc(radio->bsslist,
-			radio->num_bss * sizeof(struct wifi_bss_element));
-	if (!radio->bsslist)
+	bsslist = (struct wifi_bss_element *)realloc(radio->bsslist,
+			(radio->num_bss + 1) * sizeof(struct wifi_bss_element));
+
+	if (bsslist) {
+		radio->bsslist = bsslist;
+		radio->num_bss++;
+	} else
 		return;
 
 	bss_index = radio->num_bss - 1;
diff --git a/src/agent_cmdu.c b/src/agent_cmdu.c
index ae18d76ed..b4ddaf2b1 100644
--- a/src/agent_cmdu.c
+++ b/src/agent_cmdu.c
@@ -1102,7 +1102,7 @@ struct cmdu_buff *agent_gen_topology_query(struct agent *a, uint8_t *origin)
 struct cmdu_buff *agent_gen_topology_response(struct agent *a, uint8_t *origin,
 	uint16_t mid)
 {
-	struct cmdu_buff *resp, *ext;
+	struct cmdu_buff *resp = NULL, *ext = NULL;
 	int ret;
 
 	/* query i1905d base CMDU */
@@ -1113,7 +1113,6 @@ struct cmdu_buff *agent_gen_topology_response(struct agent *a, uint8_t *origin,
 		return NULL;
 	}
 
-
 	ext = cmdu_realloc(resp, 2000);
 	if (!ext)
 		goto error;
diff --git a/src/agent_map.c b/src/agent_map.c
index c4a88899c..65b85cbbd 100644
--- a/src/agent_map.c
+++ b/src/agent_map.c
@@ -4249,6 +4249,7 @@ static int agent_monitor_checkadd_sta(struct agent *a,
 {
 	size_t el_size = sizeof(struct wifi_unassoc_sta_element);
 	int num_sta = radio->num_unassoc_sta;
+	struct wifi_unassoc_sta_element *unassoc_stalist;
 	int i;
 
 	trace("agent: %s: --->\n", __func__);
@@ -4269,20 +4270,18 @@ static int agent_monitor_checkadd_sta(struct agent *a,
 	agent_sent_request_monitor_add(a, fh, macaddr);
 
 	/* STA not on the list yet - add */
-	if (!num_sta)
-		radio->unassoc_stalist = calloc(1, el_size);
-	else
-		radio->unassoc_stalist = realloc(
-			radio->unassoc_stalist,
+	unassoc_stalist = realloc(radio->unassoc_stalist,
 			(num_sta + 1) * el_size);
 
-	if (!radio->unassoc_stalist) {
+	if (!unassoc_stalist) {
 		warn("[%s:%d] failed to (re)allocate unassoc_stalist\n",
 		     __func__, __LINE__);
 		return -1;
 	}
 
+	radio->unassoc_stalist = unassoc_stalist;
 	radio->num_unassoc_sta++;
+
 	memset(&radio->unassoc_stalist[num_sta],
 			0, sizeof(struct wifi_unassoc_sta_element));
 	memcpy(radio->unassoc_stalist[num_sta].macaddr, macaddr, 6);
-- 
GitLab