From 3e793ff4e27991a8577f99b97f2d4a2a1a335cd7 Mon Sep 17 00:00:00 2001
From: jitiphil <jitiphil@codeaurora.org>
Date: Thu, 31 May 2018 13:15:20 +0530
Subject: qcacmn: NULL pointer dereference in htc_issue_packets()

Inside htc_issue_packets() if the HTC frame header
associated with a packet is NULL, a NULL pointer dereference
can occur.

Add check to verify that HTC frame header is not NULL before
dereferencing.

Change-Id: I4169035286b582a91e5963c20a11c8ad0f375d17
Crs-Fixed: 2232846
---
 htc/htc_send.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/htc/htc_send.c b/htc/htc_send.c
index dffc74a736ea..c6d80c0949ac 100644
--- a/htc/htc_send.c
+++ b/htc/htc_send.c
@@ -607,7 +607,14 @@ static QDF_STATUS htc_issue_packets(HTC_TARGET *target,
 
 			pHtcHdr = (HTC_FRAME_HDR *)
 				qdf_nbuf_get_frag_vaddr(netbuf, 0);
-			AR_DEBUG_ASSERT(pHtcHdr);
+			if (qdf_unlikely(!pHtcHdr)) {
+				AR_DEBUG_PRINTF(ATH_DEBUG_ERR,
+						("%s Invalid pHtcHdr\n",
+						 __func__));
+				AR_DEBUG_ASSERT(pHtcHdr);
+				status = QDF_STATUS_E_FAILURE;
+				break;
+			}
 
 			HTC_WRITE32(pHtcHdr,
 					SM(payloadLen,
-- 
cgit v1.2.3