From a167bce3dbfe0af863ee6123b02f34454e94de03 Mon Sep 17 00:00:00 2001
From: Mahesh A Saptasagar <c_msapta@qti.qualcomm.com>
Date: Fri, 1 Jul 2016 15:41:16 +0530
Subject: qcacld-2.0: Fix for potential buffer overflow and null pointer
 references

prima to qcacld-2.0 propagation

Static analyser is reporting errors for array bound
checking and null pointer references.
To resolve this
1. Check for condition array index shouldn't exceed
   WNI_CFG_VALID_CHANNEL_LIST_LEN before accessing
   ChannelList array.
2. Check for NULL condition wherever necessary.

Change-Id: Idd0a23a8180dddabfdd353c0861899411aecfa16
CRs-Fixed: 534624
---
 CORE/SME/src/csr/csrNeighborRoam.c | 11 +++--------
 CORE/SME/src/csr/csrTdlsProcess.c  |  6 ++++--
 2 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/CORE/SME/src/csr/csrNeighborRoam.c b/CORE/SME/src/csr/csrNeighborRoam.c
index 3a65e325e6b4..6fa7ce23476e 100644
--- a/CORE/SME/src/csr/csrNeighborRoam.c
+++ b/CORE/SME/src/csr/csrNeighborRoam.c
@@ -4397,6 +4397,9 @@ VOS_STATUS csrNeighborRoamTransitToCFGChanScan(tpAniSirGlobal pMac,
         else
         {
             numOfChannels = pMac->scan.occupiedChannels[sessionId].numChannels;
+            if (numOfChannels > WNI_CFG_VALID_CHANNEL_LIST_LEN) {
+                numOfChannels = WNI_CFG_VALID_CHANNEL_LIST_LEN;
+            }
             if (numOfChannels
 #ifdef FEATURE_WLAN_LFR
                 && ((pNeighborRoamInfo->uScanMode == SPLIT_SCAN_OCCUPIED_LIST) ||
@@ -4428,10 +4431,6 @@ VOS_STATUS csrNeighborRoamTransitToCFGChanScan(tpAniSirGlobal pMac,
                 }
                 else
                 {
-                    if (numOfChannels > WNI_CFG_VALID_CHANNEL_LIST_LEN)
-                    {
-                        numOfChannels = WNI_CFG_VALID_CHANNEL_LIST_LEN;
-                    }
                     vos_mem_copy(channelList,
                             pMac->scan.occupiedChannels[sessionId].channelList,
                             numOfChannels * sizeof(tANI_U8));
@@ -4466,10 +4465,6 @@ VOS_STATUS csrNeighborRoamTransitToCFGChanScan(tpAniSirGlobal pMac,
                     smsLog(pMac, LOGE, FL("Memory allocation for Channel list failed"));
                     return VOS_STATUS_E_RESOURCES;
                 }
-                if (numOfChannels > WNI_CFG_VALID_CHANNEL_LIST_LEN)
-                {
-                    numOfChannels = WNI_CFG_VALID_CHANNEL_LIST_LEN;
-                }
                 currChannelListInfo->numOfChannels = outputNumOfChannels;
                 vos_mem_copy(currChannelListInfo->ChannelList,
                         scanChannelList,
diff --git a/CORE/SME/src/csr/csrTdlsProcess.c b/CORE/SME/src/csr/csrTdlsProcess.c
index e76e7e3884b1..f7c2922eefaf 100644
--- a/CORE/SME/src/csr/csrTdlsProcess.c
+++ b/CORE/SME/src/csr/csrTdlsProcess.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2014 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2016 The Linux Foundation. All rights reserved.
  *
  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
  *
@@ -149,7 +149,7 @@ eHalStatus csrTdlsSendMgmtReq(tHalHandle hHal, tANI_U8 sessionId, tCsrTdlsSendMg
 }
 
 /*
- * TDLS request API, called from HDD to add a TDLS peer
+ * TDLS request API, called from HDD to modify an existing TDLS peer
  */
 eHalStatus csrTdlsChangePeerSta(tHalHandle hHal,
                                 tANI_U8 sessionId,
@@ -160,6 +160,8 @@ eHalStatus csrTdlsChangePeerSta(tHalHandle hHal,
     tSmeCmd *tdlsAddStaCmd ;
     eHalStatus status = eHAL_STATUS_FAILURE ;
 
+    if (NULL == pstaParams)
+        return status;
     //If connected and in Infra. Only then allow this
     if (CSR_IS_SESSION_VALID( pMac, sessionId ) &&
         csrIsConnStateConnectedInfra( pMac, sessionId ) &&
-- 
cgit v1.2.3