From f56fe0ea310e03deb9ceed8db15497e73b60c31b Mon Sep 17 00:00:00 2001
From: Praveen Kumar Sirisilla <c_pksiri@qca.qualcomm.com>
Date: Thu, 23 Jan 2014 23:13:16 -0800
Subject: wlan: bap: fix unsafe use of assert

The CR identifies improper use of vos assert. At some places NULL
pointers are asserted but no action is taken. Patch fix such issues.
.
Change-Id: I8a278fe019948630f629d8e76abd8f262ab5aa2c
CRs-Fixed: 589661
---
 CORE/BAP/src/bapModule.c           |  9 +++--
 CORE/BAP/src/bapRsn8021xAuthFsm.c  |  6 +++-
 CORE/BAP/src/bapRsn8021xPrf.c      |  8 +++--
 CORE/BAP/src/bapRsnSsmAesKeyWrap.c |  4 ---
 CORE/BAP/src/bapRsnSsmEapol.c      |  7 +++-
 CORE/HDD/src/bap_hdd_main.c        | 68 ++++++++++++++++++++++++++++----------
 6 files changed, 74 insertions(+), 28 deletions(-)

diff --git a/CORE/BAP/src/bapModule.c b/CORE/BAP/src/bapModule.c
index 2fd8c37725d7..88b27af5c30d 100644
--- a/CORE/BAP/src/bapModule.c
+++ b/CORE/BAP/src/bapModule.c
@@ -1223,8 +1223,13 @@ WLANBAP_ReadMacConfig
 
   ccmCfgGetStr( pMac, WNI_CFG_STA_ID, pBtStaOwnMacAddr, &len );
 
-  VOS_ASSERT( WNI_CFG_BSSID_LEN == len );
-  
+  if (WNI_CFG_BSSID_LEN != len)
+  {
+      VOS_TRACE( VOS_MODULE_ID_BAP, VOS_TRACE_LEVEL_ERROR,
+                   "len is improper %s", __func__);
+      return;
+  }
+
   /* Form the SSID from Mac address */
   VOS_SNPRINTF( pBtStaOwnSsid, WLAN_BAP_SSID_MAX_LEN,
             "AMP-%02x-%02x-%02x-%02x-%02x-%02x",
diff --git a/CORE/BAP/src/bapRsn8021xAuthFsm.c b/CORE/BAP/src/bapRsn8021xAuthFsm.c
index 2ce59a78c530..98ba3d16483f 100644
--- a/CORE/BAP/src/bapRsn8021xAuthFsm.c
+++ b/CORE/BAP/src/bapRsn8021xAuthFsm.c
@@ -1017,7 +1017,11 @@ int derivePtk(tAuthRsnFsm *fsm, tAniEapolKeyAvailEventData *data)
     v_U32_t prfLen;
     tAniEapolRsnKeyDesc *rxDesc;
 
-    VOS_ASSERT(fsm->staCtx->pmk);
+    if (NULL == fsm->staCtx->pmk)
+    {
+       VOS_ASSERT(0);
+       return ANI_E_NULL_VALUE;
+    }
 
     switch (fsm->staCtx->pwCipherType) 
     {
diff --git a/CORE/BAP/src/bapRsn8021xPrf.c b/CORE/BAP/src/bapRsn8021xPrf.c
index ebd50fa7de4d..4b8a7e01be54 100644
--- a/CORE/BAP/src/bapRsn8021xPrf.c
+++ b/CORE/BAP/src/bapRsn8021xPrf.c
@@ -249,8 +249,12 @@ aagPrf(v_U32_t cryptHandle,
 
     for (i = 0; i < numLoops; i++) 
     {
-        VOS_ASSERT((resultOffset - result + VOS_DIGEST_SHA1_SIZE)
-               <= AAG_PRF_MAX_OUTPUT_SIZE);
+        if ((resultOffset - result + VOS_DIGEST_SHA1_SIZE) > AAG_PRF_MAX_OUTPUT_SIZE)
+        {
+            VOS_ASSERT(0);
+            return ANI_ERROR;
+        }
+
         hmacText[loopCtrPos] = i;
         if( VOS_IS_STATUS_SUCCESS( vos_sha1_hmac_str(cryptHandle, hmacText, loopCtrPos + 1, key, keyLen, resultOffset) ) )
         {
diff --git a/CORE/BAP/src/bapRsnSsmAesKeyWrap.c b/CORE/BAP/src/bapRsnSsmAesKeyWrap.c
index 0e8858cb4fc1..398a0be95e23 100644
--- a/CORE/BAP/src/bapRsnSsmAesKeyWrap.c
+++ b/CORE/BAP/src/bapRsnSsmAesKeyWrap.c
@@ -273,8 +273,6 @@ aes(v_U32_t cryptHandle, tANI_U8 *keyBytes, tANI_U32 keyLen,
     tANI_U8 in[AES_BLOCK_SIZE];
     tANI_U8 *out;
 
-    VOS_ASSERT (AES_BLOCK_SIZE == ANI_SSM_AES_KEY_WRAP_BLOCK_SIZE*2);
-
     // Concatenate A and R[i]
     vos_mem_copy(in, a, ANI_SSM_AES_KEY_WRAP_BLOCK_SIZE);
     vos_mem_copy(in + ANI_SSM_AES_KEY_WRAP_BLOCK_SIZE, 
@@ -317,8 +315,6 @@ aes_1(v_U32_t cryptHandle, tANI_U8 *keyBytes, tANI_U32 keyLen,
     tANI_U8 in[AES_BLOCK_SIZE];
     tANI_U8 *out;
 
-    VOS_ASSERT (AES_BLOCK_SIZE == ANI_SSM_AES_KEY_WRAP_BLOCK_SIZE*2);
-
     // Concatenate A and R[i]
     vos_mem_copy(in, at, ANI_SSM_AES_KEY_WRAP_BLOCK_SIZE);
     vos_mem_copy(in + ANI_SSM_AES_KEY_WRAP_BLOCK_SIZE, 
diff --git a/CORE/BAP/src/bapRsnSsmEapol.c b/CORE/BAP/src/bapRsnSsmEapol.c
index ea39c7bd4cd3..14f2f93a9c79 100644
--- a/CORE/BAP/src/bapRsnSsmEapol.c
+++ b/CORE/BAP/src/bapRsnSsmEapol.c
@@ -1099,7 +1099,12 @@ int bapRsnFormPktFromVosPkt( tAniPacket **ppPacket, vos_pkt_t *pVosPacket )
         if( !ANI_IS_STATUS_SUCCESS( retVal ) ) break;
         //Get the rest of the data in
         uPktLen -= BAP_RSN_ETHERNET_3_HEADER_LEN;
-        VOS_ASSERT( uPktLen > 0 );
+        if (uPktLen <= 0){
+           VOS_ASSERT(0);
+           retVal = ANI_ERROR;
+           break;
+        }
+
         retVal = aniAsfPacketAppendBuffer( pAniPacket, pFrame + BAP_RSN_ETHERNET_3_HEADER_LEN, 
                             uPktLen );
         if( !ANI_IS_STATUS_SUCCESS( retVal ) ) 
diff --git a/CORE/HDD/src/bap_hdd_main.c b/CORE/HDD/src/bap_hdd_main.c
index c2620a2c1f85..f567dc6f9fce 100644
--- a/CORE/HDD/src/bap_hdd_main.c
+++ b/CORE/HDD/src/bap_hdd_main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2013-2014, The Linux Foundation. All rights reserved.
  *
  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
  *
@@ -24,6 +24,7 @@
  * under proprietary terms before Copyright ownership was assigned
  * to the Linux Foundation.
  */
+
 /**========================================================================
 
   \file  bap_hdd_main.c
@@ -795,11 +796,17 @@ static void BslReleasePhyCtx
     {
         VosStatus = vos_list_remove_node( &pPhyCtx->pClientCtx->PhyLinks,
                                           &((BslPhyLinksNodeType*)pPhyCtx->pPhyLinkDescNode)->node);
-        VOS_ASSERT(VOS_IS_STATUS_SUCCESS( VosStatus ) );
-        //Return the PhyLink handle to the free pool
-        VosStatus = vos_list_insert_front(&BslPhyLinksDescPool,&((BslPhyLinksNodeType*)pPhyCtx->pPhyLinkDescNode)->node);
-        VOS_ASSERT(VOS_IS_STATUS_SUCCESS( VosStatus ) );
-
+        if (VOS_STATUS_SUCCESS != VosStatus)
+        {
+           VOS_TRACE( VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,"%s: vos_list_remove_node() is not succses", __func__);
+        } else {
+           //Return the PhyLink handle to the free pool
+           VosStatus = vos_list_insert_front(&BslPhyLinksDescPool,&((BslPhyLinksNodeType*)pPhyCtx->pPhyLinkDescNode)->node);
+           if (VOS_STATUS_SUCCESS != VosStatus)
+           {
+              VOS_TRACE( VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,"%s: vos_list_insert_front() is not succses", __func__);
+           }
+        }
         pPhyCtx->pPhyLinkDescNode = NULL;
     }
     pPhyCtx->pClientCtx = NULL;//Moved here to bebug the exception
@@ -1447,7 +1454,12 @@ static VOS_STATUS WLANBAP_EventCB
     }
     }
 
-    VOS_ASSERT(Written <= BSL_MAX_EVENT_SIZE);
+    if (BSL_MAX_EVENT_SIZE < Written)
+    {
+       VosStatus = vos_pkt_return_packet( pVosPkt );
+       VOS_ASSERT(0);
+       return(VOS_STATUS_E_FAILURE);
+    }
 
     // stick the event into a VoS pkt
     VosStatus = vos_pkt_push_head( pVosPkt, Buff, Written );
@@ -1481,7 +1493,11 @@ static VOS_STATUS WLANBAP_EventCB
 
     //JEZ100922: We are free to return the enclosing VOSS packet.
     VosStatus = vos_pkt_return_packet( pVosPkt );
-    VOS_ASSERT(VOS_IS_STATUS_SUCCESS( VosStatus ));
+    if(VOS_STATUS_SUCCESS != VosStatus)
+    {
+       // just print no action required
+       VOS_ASSERT(0);
+    }
 
     //JEZ100809: While an skb is being handled by the kernel, is "skb->dev" de-ref'd?
     skb->dev = (struct net_device *) gpBslctx->hdev;
@@ -1600,7 +1616,12 @@ static BOOL BslFindAndInitClientCtx
 
     // init the PhyLinks queue to keep track of the assoc's of this client
     VosStatus = vos_list_init( &pctx->PhyLinks );
-    VOS_ASSERT(VOS_IS_STATUS_SUCCESS( VosStatus ) );
+    if (VOS_STATUS_SUCCESS != VosStatus)
+    {
+       pctx->used = FALSE;
+       VOS_ASSERT(0);
+       return(FALSE);
+    }
 
     *pctx_ = pctx;
 
@@ -1636,8 +1657,11 @@ static void BslReleaseClientCtx
     // consume resulting HCI events, so after this we will not get any HCI events. we will also
     // not see any FetchPktCB and RxPktCB. We can still expect TxCompletePktCB
     VosStatus = WLANBAP_ReleaseHndl( pctx->bapHdl );
-    VOS_ASSERT(VOS_IS_STATUS_SUCCESS( VosStatus ) );
-
+    if (VOS_STATUS_SUCCESS != VosStatus)
+    {
+       // just print no action required
+       VOS_ASSERT(0);
+    }
 
     // find and free all of the association contexts belonging to this app
     while ( VOS_IS_STATUS_SUCCESS( VosStatus = vos_list_remove_front( &pctx->PhyLinks, &pLink ) ) )
@@ -1655,7 +1679,11 @@ static void BslReleaseClientCtx
 
     // destroy the PhyLinks queue
     VosStatus = vos_list_destroy( &pctx->PhyLinks );
-    VOS_ASSERT(VOS_IS_STATUS_SUCCESS( VosStatus ) );
+    if (VOS_STATUS_SUCCESS != VosStatus)
+    {
+       // just print no action required
+       VOS_ASSERT(0);
+    }
 
     pctx->used = FALSE;
 
@@ -1744,9 +1772,6 @@ static BOOL BslFindAndInitPhyCtx
         for ( j=0; j<WLANTL_MAX_AC; j++ )
         {
             hdd_list_init( &BslPhyLinkCtx[i].ACLTxQueue[j], HDD_TX_QUEUE_MAX_LEN );
-            //VosStatus = vos_list_init( &BslPhyLinkCtx[i].ACLTxQueue[j] );
-            //VosStatus = vos_list_init( &(BslPhyLinkCtx+i)->ACLTxQueue );
-            VOS_ASSERT(VOS_IS_STATUS_SUCCESS( VosStatus ) );
         }
 
         // need to add this Phy context to the client list of associations,
@@ -3903,7 +3928,11 @@ static int BSL_Open( struct hci_dev *hdev )
     for ( i=0; i<BSL_MAX_PHY_LINKS; i++ )
     {
         VosStatus = vos_list_insert_front( &BslPhyLinksDescPool, &BslPhyLinksDesc[i].node );
-        VOS_ASSERT(VOS_IS_STATUS_SUCCESS( VosStatus ) );
+        if (VOS_STATUS_SUCCESS != VosStatus)
+        {
+           VOS_ASSERT(0);
+           return 0;
+        }
     }
 
     // This is redundent.  See the check above on (fp->private_data != NULL)
@@ -3985,8 +4014,11 @@ static int BSL_Close ( struct hci_dev *hdev )
     }
     VosStatus = vos_list_destroy( &BslPhyLinksDescPool );
 
-    VOS_ASSERT(VOS_IS_STATUS_SUCCESS( VosStatus ) );
-
+    if (VOS_STATUS_SUCCESS != VosStatus)
+    {
+       VOS_ASSERT(0);
+       return FALSE;
+    }
 
     bBslInited = FALSE;
 
-- 
cgit v1.2.3