From db47c654cc494f127c56701a568f45bf836206c8 Mon Sep 17 00:00:00 2001
From: HappyZ <zhuyanzi@gmail.com>
Date: Mon, 14 Jan 2019 15:48:48 -0600
Subject: [PATCH] no crash! fix the buffer free bug on `p_csi`

---
 src/csi_extraction.c | 12 +++++++++---
 src/ucode.asm        |  6 +++---
 src/ucode.patch      |  6 +++---
 3 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/src/csi_extraction.c b/src/csi_extraction.c
index 33932ff..59a7094 100644
--- a/src/csi_extraction.c
+++ b/src/csi_extraction.c
@@ -149,9 +149,15 @@ create_new_csi_frame(struct wl_info *wl, struct sk_buff *p, struct wlc_d11rxhdr
 
     missing_csi_frames = wlc_rxhdr->rxhdr.NexmonExt;
 
+    // before create, first free the buffer no matter what
+    pkt_buf_free_skb(osh, p_csi, 0);
     // create new csi frame
     p_csi = pkt_buf_get_skb(osh, sizeof(struct csi_udp_frame) + missing_csi_frames * (RX_HDR_LEN * 2));
-    printf("p_csi = %X, missing_frame = %d\n", p_csi, missing_csi_frames);
+
+    if (!p_csi) {
+        printf("failed to allocate new %d-byte packet\n", sizeof(struct csi_udp_frame) + missing_csi_frames * (RX_HDR_LEN * 2));
+        return;
+    }
     inserted_csi_values = 0;
 
     struct csi_udp_frame *udpfrm = (struct csi_udp_frame *) p_csi->data;
@@ -236,8 +242,8 @@ process_frame_hook(struct sk_buff *p, struct wlc_d11rxhdr *wlc_rxhdr, struct wlc
                 printf("xmit\n");
                 wl->dev->chained->funcs->xmit(wl->dev, wl->dev->chained, p_csi);
                 printf("sent\n");
+                pkt_buf_free_skb(osh, p_csi, 0);
                 p_csi = 0;
-                //pkt_buf_free_skb(osh, p_csi, 0);
                 //printf("cleaning p_csi done\n");
                 //p_csi = 0;
             }
@@ -262,7 +268,7 @@ process_frame_hook(struct sk_buff *p, struct wlc_d11rxhdr *wlc_rxhdr, struct wlc
     } else if (p_csi != 0) {
         printf("missing csi, re-initializing p_csi\n");
         pkt_buf_free_skb(osh, p_csi, 0);
-        //p_csi = 0;
+        p_csi = 0;
     }
     // only continue processing this frame, if it is not a csi frame
     // printf("start non-csi frame\n");
diff --git a/src/ucode.asm b/src/ucode.asm
index 2a6dd91..1f8145b 100644
--- a/src/ucode.asm
+++ b/src/ucode.asm
@@ -2908,9 +2908,9 @@ spin_rx_end:
  jne [6,off1], SPARE1, skip+
  mov [CMP_DST_MAC_2], SPARE1
  jne [7,off1], SPARE1, skip+
- add [COUNTER], 1, [COUNTER]
- and [COUNTER], 0x3, [COUNTER]
- jne [COUNTER], 0, skip+
+ //add [COUNTER], 1, [COUNTER]
+ //and [COUNTER], 0x3, [COUNTER]
+ //jne [COUNTER], 0, skip+
  mov 1, r55
  or [5,off1], 0x0, [CMP_DST_MAC_SAVE_0]
  or [6,off1], 0x0, [CMP_DST_MAC_SAVE_1]
diff --git a/src/ucode.patch b/src/ucode.patch
index e29fdc3..30a4808 100644
--- a/src/ucode.patch
+++ b/src/ucode.patch
@@ -75,9 +75,9 @@
 + jne [6,off1], SPARE1, skip+
 + mov [CMP_DST_MAC_2], SPARE1
 + jne [7,off1], SPARE1, skip+
-+ add [COUNTER], 1, [COUNTER]
-+ and [COUNTER], 0x3, [COUNTER]
-+ jne [COUNTER], 0, skip+
++ //add [COUNTER], 1, [COUNTER]
++ //and [COUNTER], 0x3, [COUNTER]
++ //jne [COUNTER], 0, skip+
 + mov 1, r55
 + or [5,off1], 0x0, [CMP_DST_MAC_SAVE_0]
 + or [6,off1], 0x0, [CMP_DST_MAC_SAVE_1]