From 2ae4256ed35fe8d16a9bd1037029f030d42916f4 Mon Sep 17 00:00:00 2001 From: gaurank kathpalia Date: Mon, 18 Jun 2018 15:15:09 +0530 Subject: qcacmn: Fix pointer dereference condition In the API extract_roam_scan_stats_res_evt_tlv, the driver extracts num_channels from the param_buf, which may be NULL, and lead to pointer dereference in the same API Fix is to have check for num_channels, and then let driver perform tasks. Change-Id: Iee56de8cd47cd3ea09078479e8ce34b6362b1685 CRs-Fixed: 2259297 --- wmi/src/wmi_unified_tlv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wmi/src/wmi_unified_tlv.c b/wmi/src/wmi_unified_tlv.c index 11f0d412e47c..9c37be61570c 100644 --- a/wmi/src/wmi_unified_tlv.c +++ b/wmi/src/wmi_unified_tlv.c @@ -14702,7 +14702,7 @@ extract_roam_scan_stats_res_evt_tlv(wmi_unified_t wmi_handle, void *evt_buf, roam->trigger_value = roam_reason[i].trigger_value; } - if (chan_info) { + if (chan_info && num_channels) { for (j = 0; j < num_channels[i]; j++) roam->scan_freqs[j] = chan_info[chan_idx++]; } -- cgit v1.2.3