diff options
| author | Padma, Santhosh Kumar <skpadma@qti.qualcomm.com> | 2015-11-03 19:41:27 +0530 |
|---|---|---|
| committer | Anjaneedevi Kapparapu <akappa@codeaurora.org> | 2016-05-24 15:44:07 +0530 |
| commit | cf841ce0cc10413b5faa2d674351bf1672080b1c (patch) | |
| tree | 97481dd97a20822d0c93e3f021fce8707fc6b066 | |
| parent | eb090691690fac43ae6c2b8f14b2efe327f449f0 (diff) | |
qcacld-2.0: Validate pHashTable
prima to qcacld-2.0 propagation
When deauth/disassoc is received from peer at the same time when
cleanup in progress because of disconnect from supplicant, there
is a chance that pHashTable can be NULL. Memory pointed by
pHashTable is freed during peDeleteSession, which is called during
cleanup. In dphLookupHashEntry, pHashTable is referenced without
any NULL check, which can lead to crash. Fix this by validating
pHashTable for NULL check.
Add a NULL check in _limProcessOperatingModeActionFrame before
referencing sta context to resolve potential KW issue.
Change-Id: I74d5c739cade19941320ee02eddc09e4fc74b105
CRs-Fixed: 898375
| -rw-r--r-- | CORE/MAC/src/dph/dphHashTable.c | 5 | ||||
| -rw-r--r-- | CORE/MAC/src/pe/lim/limProcessActionFrame.c | 4 |
2 files changed, 8 insertions, 1 deletions
diff --git a/CORE/MAC/src/dph/dphHashTable.c b/CORE/MAC/src/dph/dphHashTable.c index ed2c6e06423c..a39886b02587 100644 --- a/CORE/MAC/src/dph/dphHashTable.c +++ b/CORE/MAC/src/dph/dphHashTable.c @@ -134,6 +134,11 @@ tpDphHashNode dphLookupHashEntry(tpAniSirGlobal pMac, tANI_U8 staAddr[], tANI_U1 tpDphHashNode ptr = NULL; tANI_U16 index = hashFunction(pMac, staAddr, pDphHashTable->size); + if (!pDphHashTable->pHashTable) { + limLog(pMac, LOGE, FL(" pHashTable is NULL ")); + return ptr; + } + for (ptr = pDphHashTable->pHashTable[index]; ptr; ptr = ptr->next) { if (dphCompareMacAddr(staAddr, ptr->staAddr)) diff --git a/CORE/MAC/src/pe/lim/limProcessActionFrame.c b/CORE/MAC/src/pe/lim/limProcessActionFrame.c index f359980906ab..d9edc9c7b22a 100644 --- a/CORE/MAC/src/pe/lim/limProcessActionFrame.c +++ b/CORE/MAC/src/pe/lim/limProcessActionFrame.c @@ -562,8 +562,10 @@ __limProcessOperatingModeActionFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo } pSta = dphLookupHashEntry(pMac, pHdr->sa, &aid, &psessionEntry->dph.dphHashTable); - if (pSta == NULL) + if (pSta == NULL) { + limLog(pMac, LOGE, FL("Station context not found")); goto end; + } operMode = pSta->vhtSupportedChannelWidthSet ? eHT_CHANNEL_WIDTH_80MHZ : pSta->htSupportedChannelWidthSet ? eHT_CHANNEL_WIDTH_40MHZ: eHT_CHANNEL_WIDTH_20MHZ; |