wifihal: Replace strcpy, vsprintf and handle NULL ptr dereferenc

strcpy() is not safe, instead use strlcpy() which will terminate
the destination string with NULL character.
vsprintf() is not safe, instead use vsnprintf() which have
control over the number of bytes to be written to the output str
or buffer.
Avoid dereferencing the pointer before the NULL check.

CRs-Fixed: 793085
Change-Id: I06218bf28e1c165932a7b4061128895bca66c527

4 files changed, 46 insertions, 23 deletions

diff --git a/qcwcn/wifi_hal/cpp_bindings.cpp b/qcwcn/wifi_hal/cpp_bindings.cpp
index ac7b1e0..87d6e86 100644
--- a/qcwcn/wifi_hal/cpp_bindings.cpp
+++ b/qcwcn/wifi_hal/cpp_bindings.cpp
@@ -39,11 +39,11 @@
 #include "common.h"
 #include "cpp_bindings.h"
 
-void appendFmt(char *buf, int &offset, const char *fmt, ...)
+void appendFmt(char *buf, size_t buf_len, int &offset, const char *fmt, ...)
 {
     va_list params;
     va_start(params, fmt);
-    offset += vsprintf(buf + offset, fmt, params);
+    offset += vsnprintf(buf + offset, buf_len - offset, fmt, params);
     va_end(params);
 }
 
@@ -504,24 +504,24 @@ void WifiEvent::log() {
         char line[81];
         int linelen = min(16, len - i);
         int offset = 0;
-        appendFmt(line, offset, "%02x", data[i]);
+        appendFmt(line, sizeof(line), offset, "%02x", data[i]);
         for (int j = 1; j < linelen; j++) {
-            appendFmt(line, offset, " %02x", data[i+j]);
+            appendFmt(line, sizeof(line), offset, " %02x", data[i+j]);
         }
 
         for (int j = linelen; j < 16; j++) {
-            appendFmt(line, offset, "   ");
+            appendFmt(line, sizeof(line), offset, "   ");
         }
 
         line[23] = '-';
 
-        appendFmt(line, offset, "  ");
+        appendFmt(line, sizeof(line), offset, "  ");
 
         for (int j = 0; j < linelen; j++) {
             if (isprint(data[i+j])) {
-                appendFmt(line, offset, "%c", data[i+j]);
+                appendFmt(line, sizeof(line), offset, "%c", data[i+j]);
             } else {
-                appendFmt(line, offset, "-");
+                appendFmt(line, sizeof(line), offset, "-");
             }
         }
 
diff --git a/qcwcn/wifi_hal/gscan_event_handler.cpp b/qcwcn/wifi_hal/gscan_event_handler.cpp
index f970238..168a82f 100644
--- a/qcwcn/wifi_hal/gscan_event_handler.cpp
+++ b/qcwcn/wifi_hal/gscan_event_handler.cpp
@@ -1074,14 +1074,17 @@ int GScanCommandEventHandler::handleEvent(WifiEvent &event)
                 (*mHandler.on_significant_change)(reqId,
                                               mSignificantChangeNumResults,
                                               mSignificantChangeResults);
-                /* Reset flag and num counter. */
-                for (index = 0; index  < mSignificantChangeNumResults; index++)
-                {
-                    free(mSignificantChangeResults[index]);
-                    mSignificantChangeResults[index] = NULL;
+                if (mSignificantChangeResults) {
+                    /* Reset flag and num counter. */
+                    for (index = 0; index < mSignificantChangeNumResults;
+                         index++)
+                    {
+                        free(mSignificantChangeResults[index]);
+                        mSignificantChangeResults[index] = NULL;
+                    }
+                    free(mSignificantChangeResults);
+                    mSignificantChangeResults = NULL;
                 }
-                free(mSignificantChangeResults);
-                mSignificantChangeResults = NULL;
                 mSignificantChangeNumResults = 0;
                 mSignificantChangeMoreData = false;
             }
diff --git a/qcwcn/wifi_hal/llstats.cpp b/qcwcn/wifi_hal/llstats.cpp
index 9d7551e..e6b9350 100644
--- a/qcwcn/wifi_hal/llstats.cpp
+++ b/qcwcn/wifi_hal/llstats.cpp
@@ -921,11 +921,8 @@ int LLStatsCommand::handleEvent(WifiEvent &event)
                             free(mResultsParams.radio_stat);
                             mResultsParams.radio_stat = NULL;
                         }
-                        if(mResultsParams.iface_stat)
-                        {
-                            free(mResultsParams.iface_stat);
-                            mResultsParams.iface_stat = NULL;
-                        }
+                        free(mResultsParams.iface_stat);
+                        mResultsParams.iface_stat = NULL;
                     }
                 }
             }
@@ -989,7 +986,8 @@ int LLStatsCommand::handleEvent(WifiEvent &event)
                     }
 
                     memset(pIfaceStat, 0, resultsBufSize);
-                    memcpy ( pIfaceStat, mResultsParams.iface_stat , sizeof(wifi_iface_stat));
+                    if(mResultsParams.iface_stat)
+                        memcpy ( pIfaceStat, mResultsParams.iface_stat , sizeof(wifi_iface_stat));
                     wifi_peer_info *pPeerStats;
                     pIfaceStat->num_peers = numPeers;
 
diff --git a/qcwcn/wifi_hal/wifi_hal.cpp b/qcwcn/wifi_hal/wifi_hal.cpp
index f1bf78c..5d089b9 100644
--- a/qcwcn/wifi_hal/wifi_hal.cpp
+++ b/qcwcn/wifi_hal/wifi_hal.cpp
@@ -290,6 +290,15 @@ wifi_error wifi_initialize(wifi_handle *handle)
 
     iface_handle = wifi_get_iface_handle((info->interfaces[0])->handle,
             (info->interfaces[0])->name);
+    if (iface_handle == NULL) {
+        int i;
+        for (i = 0; i < info->num_interfaces; i++)
+        {
+            free(info->interfaces[i]);
+        }
+        ALOGE("%s no iface with %s\n", __func__, info->interfaces[0]->name);
+        return WIFI_ERROR_UNKNOWN;
+    }
     ret = acquire_supported_features(iface_handle,
             &info->supported_feature_set);
     if (ret != WIFI_SUCCESS) {
@@ -574,7 +583,7 @@ static bool is_wifi_interface(const char *name)
 
 static int get_interface(const char *name, interface_info *info)
 {
-    strcpy(info->name, name);
+    strlcpy(info->name, name, (IFNAMSIZ + 1));
     info->id = if_nametoindex(name);
     // ALOGI("found an interface : %s, id = %d", name, info->id);
     return WIFI_SUCCESS;
@@ -606,6 +615,10 @@ wifi_error wifi_init_interfaces(wifi_handle handle)
         return WIFI_ERROR_UNKNOWN;
 
     info->interfaces = (interface_info **)malloc(sizeof(interface_info *) * n);
+    if (info->interfaces == NULL) {
+        ALOGE("%s: Error info->interfaces NULL", __func__);
+        return WIFI_ERROR_OUT_OF_MEMORY;
+    }
 
     int i = 0;
     while ((de = readdir(d))) {
@@ -614,6 +627,15 @@ wifi_error wifi_init_interfaces(wifi_handle handle)
         if (is_wifi_interface(de->d_name)) {
             interface_info *ifinfo
                 = (interface_info *)malloc(sizeof(interface_info));
+            if (ifinfo == NULL) {
+                ALOGE("%s: Error ifinfo NULL", __func__);
+                while (i > 0) {
+                    free(info->interfaces[i-1]);
+                    i--;
+                }
+                free(info->interfaces);
+                return WIFI_ERROR_OUT_OF_MEMORY;
+            }
             if (get_interface(de->d_name, ifinfo) != WIFI_SUCCESS) {
                 free(ifinfo);
                 continue;
@@ -647,7 +669,7 @@ wifi_error wifi_get_iface_name(wifi_interface_handle handle, char *name,
         size_t size)
 {
     interface_info *info = (interface_info *)handle;
-    strcpy(name, info->name);
+    strlcpy(name, info->name, size);
     return WIFI_SUCCESS;
 }