2 files changed, 10 insertions, 3 deletions

diff --git a/hif/src/hif_main.c b/hif/src/hif_main.c
index 6892d72c1c76..8d1ab89cfb6b 100644
--- a/hif/src/hif_main.c
+++ b/hif/src/hif_main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2018 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2015-2019 The Linux Foundation. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -1178,6 +1178,9 @@ void hif_fake_apps_resume_work(struct work_struct *work)
 		container_of(work, struct fake_apps_context, resume_work);
 
 	QDF_BUG(ctx->resume_callback);
+	if (!ctx->resume_callback)
+		return;
+
 	ctx->resume_callback(0);
 	ctx->resume_callback = NULL;
 }
diff --git a/wmi/src/wmi_unified_tlv.c b/wmi/src/wmi_unified_tlv.c
index 1d0fe3c12174..d8320699bbc4 100644
--- a/wmi/src/wmi_unified_tlv.c
+++ b/wmi/src/wmi_unified_tlv.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2018 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2016-2019 The Linux Foundation. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -14741,14 +14741,18 @@ extract_roam_scan_stats_res_evt_tlv(wmi_unified_t wmi_handle, void *evt_buf,
 
 	num_scans = fixed_param->num_roam_scans;
 	scan_param_size = sizeof(struct wmi_roam_scan_stats_params);
-	*vdev_id = fixed_param->vdev_id;
 	if (num_scans > WMI_ROAM_SCAN_STATS_MAX) {
 		WMI_LOGE(FL("%u exceeded maximum roam scan stats: %u"),
 			 num_scans, WMI_ROAM_SCAN_STATS_MAX);
 		return QDF_STATUS_E_INVAL;
 	}
+	if ((num_scans > ((UINT_MAX - sizeof(*res)) / scan_param_size))) {
+		WMI_LOGP("%s: Invalid num_roam_scans %d", __func__, num_scans);
+		return QDF_STATUS_E_INVAL;
+	}
 
 	total_len = sizeof(*res) + num_scans * scan_param_size;
+	*vdev_id = fixed_param->vdev_id;
 
 	res = qdf_mem_malloc(total_len);
 	if (!res) {