diff options
| author | Abhinav Kumar <abhikuma@codeaurora.org> | 2018-02-21 12:36:35 +0530 |
|---|---|---|
| committer | nshrivas <nshrivas@codeaurora.org> | 2018-03-05 10:21:35 -0800 |
| commit | f658dcb4aa59a2d53ce58e09c9ef66c1b2f00bda (patch) | |
| tree | 0a8dc7f71478ac2c1dd251fd427bac134101eb3f | |
| parent | c017965cea0b0131c8f035419cc24815bd86de7a (diff) | |
qcacld-3.0: Handle error case in wma_extscan_cached_results_event_handler
Currently, driver calls wma_group_num_bss_to_scan_id API from
wma_extscan_cached_results_event_handler to group bss to scan id
table. Without checking return status of wma_group_num_bss_to_scan_id,
HDD callback is called which can lead to NULL pointer de-reference issue
in wlan_hdd_cfg80211_extscan_cached_results_ind if malloc for
t_scan_id_grp->ap fails in wma_group_num_bss_to_scan_id.
Add check for return status of "wma_group_num_bss_to_scan_id" in
wma_extscan_cached_results_event_handler before invoking HDD callback
Change-Id: I457f39404436c54feb4b555f8101895d3c1ae5d7
CRs-Fixed: 2188297
| -rw-r--r-- | core/wma/src/wma_scan_roam.c | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/core/wma/src/wma_scan_roam.c b/core/wma/src/wma_scan_roam.c index 38e9e6fb1203..2cceb36036e8 100644 --- a/core/wma/src/wma_scan_roam.c +++ b/core/wma/src/wma_scan_roam.c @@ -4990,7 +4990,7 @@ int wma_extscan_cached_results_event_handler(void *handle, struct extscan_cached_scan_results empty_cachelist; wmi_extscan_wlan_descriptor *src_hotlist; wmi_extscan_rssi_info *src_rssi; - int i, moredata, scan_ids_cnt, buf_len; + int i, moredata, scan_ids_cnt, buf_len, status; tpAniSirGlobal pMac = cds_get_context(QDF_MODULE_ID_PE); uint32_t total_len; bool excess_data = false; @@ -5088,19 +5088,24 @@ int wma_extscan_cached_results_event_handler(void *handle, dest_result = dest_cachelist->result; wma_fill_num_results_per_scan_id(cmd_param_info, dest_result); - wma_group_num_bss_to_scan_id(cmd_param_info, dest_cachelist); - pMac->sme.pExtScanIndCb(pMac->hHdd, + status = wma_group_num_bss_to_scan_id(cmd_param_info, dest_cachelist); + if (!status) + pMac->sme.pExtScanIndCb(pMac->hHdd, eSIR_EXTSCAN_CACHED_RESULTS_IND, dest_cachelist); + else + WMA_LOGD("wma_group_num_bss_to_scan_id failed, not calling callback"); + dest_result = dest_cachelist->result; for (i = 0; i < dest_cachelist->num_scan_ids; i++) { - qdf_mem_free(dest_result->ap); + if (dest_result->ap) + qdf_mem_free(dest_result->ap); dest_result++; } qdf_mem_free(dest_cachelist->result); qdf_mem_free(dest_cachelist); - return 0; + return status; noresults: empty_cachelist.request_id = event->request_id; |