qcacld: Fix the possible NULL pointer dereference.

Fixes the possible NULL pointer dereference observed in static code analysis. Change-Id: I7a9db99d557ef347367bb714b9d40f2b071805fa CRs-Fixed: 619515
author: Kiran Kumar Lokere <klokere@qca.qualcomm.com> 2014-02-20 17:11:19 -0800
committer: Akash Patel <c_akashp@qca.qualcomm.com> 2014-02-24 21:15:05 -0800
commit: 21793406140b4fd3467b4ec02877f2fc5e8cfeb7 (patch)
tree: 650837855eebbc870a393681326a775454b11130
parent: 68075ab013c3c22bac6e7d03afeade72e1a692f7 (diff)
4 files changed, 31 insertions, 9 deletions
diff --git a/CORE/MAC/src/pe/lim/limApi.c b/CORE/MAC/src/pe/lim/limApi.c
index c64b1ed57dbc..bf3addb287ff 100644
--- a/CORE/MAC/src/pe/lim/limApi.c
+++ b/CORE/MAC/src/pe/lim/limApi.c
@@ -1347,6 +1347,7 @@ VOS_STATUS peHandleMgmtFrame( v_PVOID_t pvosGCtx, v_PVOID_t vosBuff)
     {
         // cannot log a failure without a valid pMac
         vos_pkt_return_packet(pVosPkt);
+        pVosPkt = NULL;
         return VOS_STATUS_E_FAILURE;
     }
 
@@ -1355,6 +1356,7 @@ VOS_STATUS peHandleMgmtFrame( v_PVOID_t pvosGCtx, v_PVOID_t vosBuff)
     if(!VOS_IS_STATUS_SUCCESS(vosStatus))
     {
         vos_pkt_return_packet(pVosPkt);
+        pVosPkt = NULL;
         return VOS_STATUS_E_FAILURE;
     }
 
@@ -1387,6 +1389,7 @@ VOS_STATUS peHandleMgmtFrame( v_PVOID_t pvosGCtx, v_PVOID_t vosBuff)
                                                   mHdr->fc.subType ))
     {
         vos_pkt_return_packet(pVosPkt);
+        pVosPkt = NULL;
         limLog( pMac, LOGW,
                 FL ( "sysBbtProcessMessageCore failed to process SIR_BB_XPORT_MGMT_MSG" ));
         return VOS_STATUS_E_FAILURE;
diff --git a/CORE/MAC/src/pe/lim/limProcessMessageQueue.c b/CORE/MAC/src/pe/lim/limProcessMessageQueue.c
index a0b7a694323b..088b1ffcadd5 100644
--- a/CORE/MAC/src/pe/lim/limProcessMessageQueue.c
+++ b/CORE/MAC/src/pe/lim/limProcessMessageQueue.c
@@ -1094,6 +1094,12 @@ limProcessMessages(tpAniSirGlobal pMac, tpSirMsgQ  limMsg)
         limMsg->bodyptr = NULL;
         return;
     }
+    if (limMsg == NULL)
+    {
+        limLog(pMac, LOGE, FL("Message pointer is Null"));
+        VOS_ASSERT(0);
+        return;
+    }
 #ifdef WLAN_DEBUG    
     pMac->lim.numTot++;
 #endif
@@ -1188,6 +1194,12 @@ limProcessMessages(tpAniSirGlobal pMac, tpSirMsgQ  limMsg)
                  * and next time when we try to process the msg, we will try to use 'BD' as 
                  * 'Vos Pkt' which will cause a crash
                  */
+                if (limMsg->bodyptr == NULL)
+                {
+                    limLog(pMac, LOGE, FL("Message bodyptr is Null"));
+                    VOS_ASSERT(0);
+                    break;
+                }
                 vos_mem_copy((tANI_U8*)&limMsgNew, (tANI_U8*)limMsg,
                              sizeof(tSirMsgQ));
                 pVosPkt = (vos_pkt_t *)limMsgNew.bodyptr;
diff --git a/CORE/MAC/src/pe/lim/limUtils.c b/CORE/MAC/src/pe/lim/limUtils.c
index 365ac2beb408..2130b23c30ec 100644
--- a/CORE/MAC/src/pe/lim/limUtils.c
+++ b/CORE/MAC/src/pe/lim/limUtils.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011-2013 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2011-2014 The Linux Foundation. All rights reserved.
  *
  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
  *
@@ -7326,12 +7326,16 @@ tpPESession limIsApSessionActive(tpAniSirGlobal pMac)
 
 void limHandleDeferMsgError(tpAniSirGlobal pMac, tpSirMsgQ pLimMsg)
 {
-      if(SIR_BB_XPORT_MGMT_MSG == pLimMsg->type) 
-        {
-            vos_pkt_return_packet((vos_pkt_t*)pLimMsg->bodyptr);
-        }
-      else if(pLimMsg->bodyptr != NULL)
-            vos_mem_free( pLimMsg->bodyptr);
+    if(SIR_BB_XPORT_MGMT_MSG == pLimMsg->type)
+    {
+        vos_pkt_return_packet((vos_pkt_t*)pLimMsg->bodyptr);
+        pLimMsg->bodyptr = NULL;
+    }
+    else if(pLimMsg->bodyptr != NULL)
+    {
+        vos_mem_free(pLimMsg->bodyptr);
+        pLimMsg->bodyptr = NULL;
+    }
 
 }
 
diff --git a/CORE/VOSS/src/vos_packet.c b/CORE/VOSS/src/vos_packet.c
index 44e5912a7b11..c7d527eb9ee3 100644
--- a/CORE/VOSS/src/vos_packet.c
+++ b/CORE/VOSS/src/vos_packet.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2013 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2014 The Linux Foundation. All rights reserved.
  *
  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
  *
@@ -64,6 +64,8 @@ VOS_STATUS vos_pkt_return_packet(vos_pkt_t *packet)
    /* Free up the Adf nbuf */
    adf_nbuf_free(packet->pkt_buf);
 
+   packet->pkt_buf = NULL;
+
    /* Free up the Rx packet */
    vos_mem_free(packet);
 
@@ -89,7 +91,8 @@ VOS_STATUS vos_pkt_get_packet_length( vos_pkt_t *pPacket,
                                       v_U16_t *pPacketSize )
 {
    // Validate the parameter pointers
-   if (unlikely((pPacket == NULL) || (pPacketSize == NULL)))
+   if (unlikely((pPacket == NULL) || (pPacketSize == NULL)) ||
+                   (pPacket->pkt_buf == NULL))
    {
       VOS_TRACE(VOS_MODULE_ID_VOSS, VOS_TRACE_LEVEL_FATAL,
                 "VPKT [%d]: NULL pointer", __LINE__);
author	Kiran Kumar Lokere <klokere@qca.qualcomm.com>	2014-02-20 17:11:19 -0800
committer	Akash Patel <c_akashp@qca.qualcomm.com>	2014-02-24 21:15:05 -0800
commit	21793406140b4fd3467b4ec02877f2fc5e8cfeb7 (patch)
tree	650837855eebbc870a393681326a775454b11130
parent	68075ab013c3c22bac6e7d03afeade72e1a692f7 (diff)