From 2d67c739e107274296f8ead9effda67d3a93b33c Mon Sep 17 00:00:00 2001
From: "Masti, Narayanraddi" <c_nmasti@qti.qualcomm.com>
Date: Mon, 16 Feb 2015 16:38:42 +0530
Subject: qcacld: Add a sanity check for NULL dereference and array out of
 bounds

Check for psession NULL dereference during processing of MLM START
confirmation and check for array out of bound in sapAddMacToACL
since size passed may exceed maximum addresses.

Change-Id: I0cf1bc13f73c4af1f4e8178bed9b45002bde6896
CRs-Fixed: 796225
---
 CORE/MAC/src/pe/lim/limProcessMlmRspMessages.c | 3 ++-
 CORE/SAP/src/sapFsm.c                          | 9 ++++++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/CORE/MAC/src/pe/lim/limProcessMlmRspMessages.c b/CORE/MAC/src/pe/lim/limProcessMlmRspMessages.c
index 640a388657a3..cafbe3c9bc74 100644
--- a/CORE/MAC/src/pe/lim/limProcessMlmRspMessages.c
+++ b/CORE/MAC/src/pe/lim/limProcessMlmRspMessages.c
@@ -417,7 +417,8 @@ limProcessMlmStartCnf(tpAniSirGlobal pMac, tANI_U32 *pMsgBuf)
     limSendSmeStartBssRsp(pMac, eWNI_SME_START_BSS_RSP,
                           ((tLimMlmStartCnf *) pMsgBuf)->resultCode,psessionEntry,
                           smesessionId,smetransactionId);
-    if (((tLimMlmStartCnf *) pMsgBuf)->resultCode == eSIR_SME_SUCCESS)
+    if ((psessionEntry != NULL) &&
+        (((tLimMlmStartCnf *) pMsgBuf)->resultCode == eSIR_SME_SUCCESS))
     {
         channelId = psessionEntry->pLimStartBssReq->channelId;
 
diff --git a/CORE/SAP/src/sapFsm.c b/CORE/SAP/src/sapFsm.c
index ba176574f5eb..9b17a4439bd6 100644
--- a/CORE/SAP/src/sapFsm.c
+++ b/CORE/SAP/src/sapFsm.c
@@ -4136,7 +4136,14 @@ sapRemoveMacFromACL(v_MACADDR_t *macList, v_U8_t *size, v_U8_t index)
     /* return if the list passed is empty. Ideally this should never happen since this funcn is always
        called after sapSearchMacList to get the index of the mac addr to be removed and this will
        only get called if the search is successful. Still no harm in having the check */
-    if (macList==NULL) return;
+    if ((NULL == macList) || (*size == 0) || (*size > MAX_ACL_MAC_ADDRESS))
+    {
+        VOS_TRACE( VOS_MODULE_ID_SAP, VOS_TRACE_LEVEL_INFO_HIGH,
+                    "In %s, either buffer is NULL or size %d is incorrect.",
+                    __func__, *size);
+        return;
+    }
+
     for (i=index; i<((*size)-1); i++)
     {
         /* Move mac addresses starting from "index" passed one index up to delete the void
-- 
cgit v1.2.3


From b3e0dfdaf5c3afb332a372d33fd31cb6fa09b917 Mon Sep 17 00:00:00 2001
From: Ryan Hsu <ryanhsu@qca.qualcomm.com>
Date: Thu, 12 Feb 2015 15:03:26 -0800
Subject: qcacld2.0: HDD: Fix for issues reported by Static Analysis

This is prima to qcacld-2.0 propagation.

Free dynamically allocated memory 'pHddCtx->cfg_ini'in hdd_wlan_exit()
irrespective of pAdapter value.

Change-Id: I91206f92c064d045305a64f344a8bad3a3b40e52
CRs-Fixed: 795261
---
 CORE/HDD/src/wlan_hdd_ftm.c  |  4 ----
 CORE/HDD/src/wlan_hdd_main.c | 11 +++++++----
 2 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/CORE/HDD/src/wlan_hdd_ftm.c b/CORE/HDD/src/wlan_hdd_ftm.c
index 71ab148e354f..d0762a8f93ae 100644
--- a/CORE/HDD/src/wlan_hdd_ftm.c
+++ b/CORE/HDD/src/wlan_hdd_ftm.c
@@ -841,10 +841,6 @@ int wlan_hdd_ftm_close(hdd_context_t *pHddCtx)
         VOS_ASSERT( VOS_IS_STATUS_SUCCESS( vosStatus ) );
     }
 
-    //Free up dynamically allocated members inside HDD Adapter
-    kfree(pHddCtx->cfg_ini);
-    pHddCtx->cfg_ini= NULL;
-
 #if defined(QCA_WIFI_FTM) && defined(LINUX_QCMBR)
     spin_lock_bh(&qcmbr_queue_lock);
     if (!list_empty(&qcmbr_queue_head)) {
diff --git a/CORE/HDD/src/wlan_hdd_main.c b/CORE/HDD/src/wlan_hdd_main.c
index 0a0e72c397da..50f678431f86 100755
--- a/CORE/HDD/src/wlan_hdd_main.c
+++ b/CORE/HDD/src/wlan_hdd_main.c
@@ -11717,10 +11717,6 @@ void hdd_wlan_exit(hdd_context_t *pHddCtx)
 #ifdef IPA_OFFLOAD
    hdd_ipa_cleanup(pHddCtx);
 #endif
-   //Free up dynamically allocated members inside HDD Adapter
-   kfree(pHddCtx->cfg_ini);
-   pHddCtx->cfg_ini= NULL;
-
 
    /* free the power on lock from platform driver */
    if (free_riva_power_on_lock("wlan"))
@@ -11734,6 +11730,13 @@ void hdd_wlan_exit(hdd_context_t *pHddCtx)
    hdd_list_destroy(&pHddCtx->hdd_roc_req_q);
 
 free_hdd_ctx:
+
+   /* Free up dynamically allocated members inside HDD Adapter */
+   if (pHddCtx->cfg_ini) {
+       kfree(pHddCtx->cfg_ini);
+       pHddCtx->cfg_ini= NULL;
+   }
+
    /* FTM mode, WIPHY did not registered
       If un-register here, system crash will happen */
    if (VOS_FTM_MODE != hdd_get_conparam())
-- 
cgit v1.2.3


From 37990d148fb41fd1dabcd05f142d7c8c267d8cf3 Mon Sep 17 00:00:00 2001
From: AnjaneeDevi Kapparapu <c_akappa@qti.qualcomm.com>
Date: Wed, 18 Feb 2015 14:11:27 +0530
Subject: Cafstaging Release 4.0.10.37

Cafstaging Release 4.0.10.37

Change-Id: Ie9ee0a1cbb9f292a493fc65212685660051ed1e4
CRs-Fixed: 688141
---
 CORE/MAC/inc/qwlan_version.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/CORE/MAC/inc/qwlan_version.h b/CORE/MAC/inc/qwlan_version.h
index 75800c64ce2b..89363e82a16a 100644
--- a/CORE/MAC/inc/qwlan_version.h
+++ b/CORE/MAC/inc/qwlan_version.h
@@ -42,9 +42,9 @@ BRIEF DESCRIPTION:
 #define QWLAN_VERSION_MINOR            0
 #define QWLAN_VERSION_PATCH            10
 #define QWLAN_VERSION_EXTRA            ""
-#define QWLAN_VERSION_BUILD            36 
+#define QWLAN_VERSION_BUILD            37 
 
-#define QWLAN_VERSIONSTR               "4.0.10.36"
+#define QWLAN_VERSIONSTR               "4.0.10.37"
 
 
 #define AR6320_REV1_VERSION             0x5000000
-- 
cgit v1.2.3