diff options
| author | Will Huang <wilhuang@codeaurora.org> | 2017-01-06 13:00:34 +0800 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2017-02-08 20:29:52 -0800 |
| commit | d2cc6124f401fbcc79666dbeba5b8d645ae80639 (patch) | |
| tree | f3d8c45364b8150568ee2ce4b89342955fb7a93c | |
| parent | e0beb21f5ac3107c128f4951c8b9713ca394db90 (diff) | |
qcacld-2.0: Add NULL pointer and range check
No NULL check before dereference pointer in tl_shim.c and
wlan_hdd_cfg80211.c, no range check before access array in
csrApiScan.c.
Change-Id: Ic708975d86e7d3602576e1cabcdcd07a4ad915b4
CRs-Fixed: 1108218
| -rw-r--r-- | CORE/CLD_TXRX/TLSHIM/tl_shim.c | 12 | ||||
| -rw-r--r-- | CORE/HDD/src/wlan_hdd_cfg80211.c | 2 | ||||
| -rw-r--r-- | CORE/SME/src/csr/csrApiScan.c | 6 |
3 files changed, 15 insertions, 5 deletions
diff --git a/CORE/CLD_TXRX/TLSHIM/tl_shim.c b/CORE/CLD_TXRX/TLSHIM/tl_shim.c index 268a1e529f0f..a3823e320ace 100644 --- a/CORE/CLD_TXRX/TLSHIM/tl_shim.c +++ b/CORE/CLD_TXRX/TLSHIM/tl_shim.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013-2016 The Linux Foundation. All rights reserved. + * Copyright (c) 2013-2017 The Linux Foundation. All rights reserved. * * Previously licensed under the ISC license by Qualcomm Atheros, Inc. * @@ -1236,12 +1236,18 @@ void *tlshim_peer_validity(void *vos_ctx, uint8_t sta_id) { struct txrx_tl_shim_ctx *tl_shim = vos_get_context(VOS_MODULE_ID_TL, vos_ctx); + struct ol_txrx_pdev_t *pdev = vos_get_context(VOS_MODULE_ID_TXRX, + vos_ctx); struct ol_txrx_peer_t *peer; if (!tl_shim) { TLSHIM_LOGE("tl_shim is NULL"); return NULL; } + if (!pdev) { + TLSHIM_LOGE("pdev is NULL"); + return NULL; + } if (sta_id >= WLAN_MAX_STA_COUNT) { TLSHIM_LOGE("Invalid sta id for data tx"); @@ -1253,9 +1259,7 @@ void *tlshim_peer_validity(void *vos_ctx, uint8_t sta_id) return NULL; } - peer = ol_txrx_peer_find_by_local_id( - vos_get_context(VOS_MODULE_ID_TXRX,vos_ctx), - sta_id); + peer = ol_txrx_peer_find_by_local_id(pdev, sta_id); if (!peer) { TLSHIM_LOGW("Invalid peer"); return NULL; diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c index dd79675c4440..821bc2748c55 100644 --- a/CORE/HDD/src/wlan_hdd_cfg80211.c +++ b/CORE/HDD/src/wlan_hdd_cfg80211.c @@ -19587,7 +19587,7 @@ static eHalStatus hdd_cfg80211_scan_done_callback(tHalHandle halHandle, } #if (LINUX_VERSION_CODE >= KERNEL_VERSION(3,14,0)) - if (!(pAdapter->dev->flags & IFF_UP)) { + if (pAdapter->dev && !(pAdapter->dev->flags & IFF_UP)) { hddLog(VOS_TRACE_LEVEL_ERROR, FL("Interface is down")); iface_down = true; } diff --git a/CORE/SME/src/csr/csrApiScan.c b/CORE/SME/src/csr/csrApiScan.c index 67e5f5559fe4..1799ea542f0a 100644 --- a/CORE/SME/src/csr/csrApiScan.c +++ b/CORE/SME/src/csr/csrApiScan.c @@ -735,6 +735,12 @@ eHalStatus csrScanRequest(tpAniSirGlobal pMac, tANI_U16 sessionId, { tANI_U32 numChn = pMac->scan.baseChannels.numChannels; + if (numChn > WNI_CFG_VALID_CHANNEL_LIST_LEN) { + smsLog(pMac, LOGE, + FL("Invalid number of channels: %d"), numChn); + status = eHAL_STATUS_FAILURE; + break; + } vos_mem_set(&p11dScanCmd->u.scanCmd, sizeof(tScanCmd), 0); pChnInfo->ChannelList = vos_mem_malloc(numChn); if ( NULL == pChnInfo->ChannelList ) |