summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorc_zding <c_zding@qti.qualcomm.com>2016-08-01 16:41:41 +0800
committerAnjaneedevi Kapparapu <akappa@codeaurora.org>2016-08-02 14:49:54 +0530
commit3b6a446482717ce03d29de89915213b4aa4d7902 (patch)
tree7d86aa0836441eea018a25228ff0110bb17d112e
parent429032c359a75cffce510262bb5bf3a502ac6b01 (diff)
qcacld-2.0: Avoid null pointer when STAUT connect to specific AP
When STAUT connected to specific AP, it will received fragment frame with "fragno" equals to 0, and "more_frag" equals to 0, then the skb is chained for RX thread processing. However the skb will be freed at the end of "htt_t2h_lp_msg_process". This will trigger a null pointer reference at "tlshim_data_rx_cb". The change is to clone this single fragment for RX thread processing, with the same logic of handling non-single fragment frames. Change-Id: Ieb16cf28e04443ea13e992d04688355c39a56a52 CRs-Fixed: 1048532
Diffstat
-rw-r--r--CORE/CLD_TXRX/TXRX/ol_rx_defrag.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/CORE/CLD_TXRX/TXRX/ol_rx_defrag.c b/CORE/CLD_TXRX/TXRX/ol_rx_defrag.c
index b084889eb040..358d6d660c3b 100644
--- a/CORE/CLD_TXRX/TXRX/ol_rx_defrag.c
+++ b/CORE/CLD_TXRX/TXRX/ol_rx_defrag.c
@@ -288,8 +288,8 @@ ol_rx_reorder_store_frag(
more_frag = mac_hdr->i_fc[1] & IEEE80211_FC1_MORE_FRAG;
if ((!more_frag) && (!fragno) && (!rx_reorder_array_elem->head)) {
- rx_reorder_array_elem->head = frag;
- rx_reorder_array_elem->tail = frag;
+ ol_rx_fraglist_insert(htt_pdev, &rx_reorder_array_elem->head,
+ &rx_reorder_array_elem->tail, frag, &all_frag_present);
adf_nbuf_set_next(frag, NULL);
ol_rx_defrag(pdev, peer, tid, rx_reorder_array_elem->head);
rx_reorder_array_elem->head = NULL;
generated by cgit v1.2.3 (git 2.25.1) at 2026-04-24 18:43:14 +0000