wlan: Check whether pNode is NULL instead of tmp_tx_context
When assoc rsp with reject code is sent to fw, an entry is added in assoc
rsp completion list. If a race condition happens between tx complete
received from fw and TX complete timer timeout, it is possible that one
is getting processed and another is queued in the MC thread. In that
scenario, as both have same callback to call, the first one will remove
the entry from assoc rsp completion list. When second one calls the
callback, failure should be returned as no entry is present anymore. But
due to NULL check for tmp_tx_context, which would point to the last valid
entry, instead of pNode, which would actually be NULL when no entry is
found, memory of last valid entry which is not corresponding to this assoc
rsp is getting freed but the node is still present in the assoc rsp
completion list leaving a dangling pointer. If some other module allocates
some memory and gets the same memory which just gets wrongly freed in assoc
rsp completion list, any operation on that node in assoc rsp completion
list will corrupt the memory for other module causing memory corruption.
Replace NULL check for tmp_tx_context with NULL check for pNode as pNode
would be NULL if entry is not found in assoc response completion list.
Change-Id: Ie122d950a78688360c07b1c738d29284ec73064b
CRs-Fixed: 2218212
1 file changed