qcacld-3.0: Add maximum limit check before inserting into scan cache

In SAP scan path, csr_scan_add_result used to add the scan
result to the scan cache by invoking csr_scan_add_result. But
this flow doesn't check if the scan cache has reached maximum
limit. Also there is a possible double free in the function
csr_scan_create_entry_in_scan_cache if the structure
pNewBssDescriptor, which is added to the scan cache linked list
is freed.

Add maximum BSS limit check before invoking csr_scan_add_result.

Change-Id: Iac8098253a9e384d928a6aa309fa1dbe9b5a0d4b
CRs-Fixed: 2276043

1 files changed, 5 insertions, 4 deletions

diff --git a/core/sme/src/csr/csr_api_scan.c b/core/sme/src/csr/csr_api_scan.c
index 490f245d7bfc..678f124b6483 100644
--- a/core/sme/src/csr/csr_api_scan.c
+++ b/core/sme/src/csr/csr_api_scan.c
@@ -3822,6 +3822,10 @@ static struct tag_csrscan_result *csr_scan_save_bss_description(tpAniSirGlobal
 	/* figure out how big the BSS description is (the BSSDesc->length does
 	 * NOT include the size of the length field itself).
 	 */
+	if (CSR_SCAN_IS_OVER_BSS_LIMIT(pMac)) {
+		sme_debug("BSS Limit reached");
+		return NULL;
+	}
 	cbBSSDesc = pBSSDescription->length + sizeof(pBSSDescription->length);
 
 	cbAllocated = sizeof(struct tag_csrscan_result) + cbBSSDesc;
@@ -3837,10 +3841,7 @@ static struct tag_csrscan_result *csr_scan_save_bss_description(tpAniSirGlobal
 				       bssId));
 		qdf_mem_copy(&pCsrBssDescription->Result.BssDescriptor,
 			     pBSSDescription, cbBSSDesc);
-		if (NULL != pCsrBssDescription->Result.pvIes) {
-			QDF_ASSERT(pCsrBssDescription->Result.pvIes == NULL);
-			return NULL;
-		}
+
 		csr_scan_add_result(pMac, pCsrBssDescription, pIes, sessionId);
 	}