Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / vendor / qcom-opensource / wlan / prima / b4626d09323c50d8715f21a7588dc53538669080^! / .
commitb4626d09323c50d8715f21a7588dc53538669080[log] [tgz]
authorAbhinav Kumar <abhikuma@codeaurora.org>Mon Feb 26 18:16:30 2018 +0530
committerAbhinav Kumar <abhikuma@codeaurora.org>Thu Mar 01 19:12:14 2018 +0530
tree7b23f46883f501b8ebadb7fc6e886d53af8901ec
parentf31f65ce1380e425ccadd4a3e985800ecf7294df [diff]
wlan: Fix Null pointer dereference

Check session_entry is equal to NULL in Host driver before
de-reference it.

Fix is to add return status and do required cleanup
in case session_entry is NULL.

Change-Id: If42d8e1e4df68e6148f497cda6b12d7454158996
CRs-Fixed: 2195907

diff --git a/CORE/MAC/src/pe/lim/limProcessSmeReqMessages.c b/CORE/MAC/src/pe/lim/limProcessSmeReqMessages.c
index a4bb404..5276aa4 100644
--- a/CORE/MAC/src/pe/lim/limProcessSmeReqMessages.c
+++ b/CORE/MAC/src/pe/lim/limProcessSmeReqMessages.c

@@ -4142,6 +4142,11 @@
                 eLIM_CNF_WAIT_TIMER,
                 aid);
     }
+    else
+    {
+      limLog(pmac, LOGE, FL("NULL sta_ds"));
+      goto end;
+    }
     if (assoc_cnf.statusCode == eSIR_SME_SUCCESS)
     {
       sta_ds->mlmStaContext.mlmState = eLIM_MLM_LINK_ESTABLISHED_STATE;

diff --git a/CORE/MAC/src/pe/lim/limUtils.c b/CORE/MAC/src/pe/lim/limUtils.c
index 3bd1466..af86449 100644
--- a/CORE/MAC/src/pe/lim/limUtils.c
+++ b/CORE/MAC/src/pe/lim/limUtils.c

@@ -9044,6 +9044,11 @@
         tpSirAssocReq assoc_req)
 {
     tpPESession session_entry = limIsApSessionActive(pmac);
+    if (session_entry == NULL)
+    {
+        limLog(pmac, LOGE, FL("Invalid Session Entry"));
+        goto error;
+    }
 
     if (IS_DOT11_MODE_HT(session_entry->dot11mode) &&
             assoc_req->HTCaps.present && assoc_req->wmeInfoPresent)
@@ -9168,7 +9173,11 @@
     tHalBitVal qos_mode;
     tHalBitVal wsm_mode, wme_mode;
     tpPESession session_entry = limIsApSessionActive(pmac);
-
+    if (session_entry == NULL)
+    {
+        limLog(pmac, LOGE, FL("Invalid Session Entry"));
+        return;
+    }
     limGetQosMode(session_entry, &qos_mode);
     sta_ds->qosMode    = eANI_BOOLEAN_FALSE;
     sta_ds->lleEnabled = eANI_BOOLEAN_FALSE;

diff --git a/CORE/MAC/src/pe/lim/lim_mbb.c b/CORE/MAC/src/pe/lim/lim_mbb.c
index fdf18a2..9cd3501 100644
--- a/CORE/MAC/src/pe/lim/lim_mbb.c
+++ b/CORE/MAC/src/pe/lim/lim_mbb.c

@@ -63,6 +63,10 @@
     tANI_U16 rsp_len = sizeof(tSirFTPreAuthRsp);
     tpPESession session_entry_con_ap;
     tpDphHashNode sta_ds = NULL;
+    if (session_entry == NULL) {
+        limLog(mac, LOGE, FL("Invalid Session Entry"));
+        return;
+    }
 
     pre_auth_rsp = (tpSirFTPreAuthRsp)vos_mem_malloc(rsp_len);
     if (NULL == pre_auth_rsp) {
@@ -77,9 +81,7 @@
     pre_auth_rsp->length = (tANI_U16)rsp_len;
     pre_auth_rsp->status = status;
     pre_auth_rsp->reason = reason;
-
-    if (session_entry)
-        pre_auth_rsp->smeSessionId = session_entry->smeSessionId;
+    pre_auth_rsp->smeSessionId = session_entry->smeSessionId;
 
     /* The bssid of the AP we are sending Auth1 to. */
     if (mac->ft.ftPEContext.pFTPreAuthReq)
@@ -668,7 +670,7 @@
         limLog(mac, LOGE,
                FL("session does not exist for given BSSID" MAC_ADDRESS_STR),
                MAC_ADDR_ARRAY(mac->ft.ftPEContext.pFTPreAuthReq->currbssId));
-        goto end;
+        goto cleanup;
     }
 
     session_entry->smeSessionId = session_entry_con_ap->smeSessionId;
@@ -681,7 +683,7 @@
         limLog(mac, LOGE,
                FL("sta_ds NULL for given BSSID" MAC_ADDRESS_STR),
                MAC_ADDR_ARRAY(mac->ft.ftPEContext.pFTPreAuthReq->currbssId));
-        goto end;
+        goto cleanup;
     }
 
     /*
@@ -698,9 +700,9 @@
     if (ret_code == eSIR_SUCCESS)
         return;
 
-end:
     /* Connected AP lim cleanup.*/
     lim_cleanup_connected_ap(mac, sta_ds_connected_ap, session_entry_con_ap);
+cleanup:
     /*
      * eHAL_STATUS_INVALID_PARAMETER is used
      * so that full cleanup is triggered.
@@ -721,7 +723,7 @@
 static inline void lim_process_preauth_mbb_result(tpAniSirGlobal mac,
      eHalStatus status, tANI_U32 *data)
 {
-    tpPESession session_entry, ft_session_entry;
+    tpPESession session_entry, ft_session_entry = NULL;
     tpDphHashNode sta_ds;
     tAddBssParams *add_bss_params;
     tSirSmeJoinReq *reassoc_req;
@@ -853,7 +855,8 @@
     return;
 
 end:
-    lim_handle_reassoc_mbb_fail(mac, ft_session_entry);
+    if (ft_session_entry)
+        lim_handle_reassoc_mbb_fail(mac, ft_session_entry);
 }
 
 /*

diff --git a/CORE/SME/src/csr/csr_roam_mbb.c b/CORE/SME/src/csr/csr_roam_mbb.c
index f701722..de81060 100644
--- a/CORE/SME/src/csr/csr_roam_mbb.c
+++ b/CORE/SME/src/csr/csr_roam_mbb.c

@@ -74,6 +74,11 @@
                                           &mac->roam.neighborRoamInfo;
     eHalStatus status;
 
+    if (session == NULL) {
+        smsLog(mac, LOGE, FL("Invalid Session ID %d"), session_id);
+        return eHAL_STATUS_FAILURE;
+    }
+
     auth_req_len = sizeof(tSirFTPreAuthReq);
     pre_auth_req = (tpSirFTPreAuthReq)vos_mem_malloc(auth_req_len);
     if (NULL == pre_auth_req) {
@@ -453,7 +458,11 @@
 
     /* Get profile */
     session = CSR_GET_SESSION(mac, sme_session_id);
-
+    if (session == NULL) {
+        smsLog(mac, LOGE,
+               FL("Invalid Session ID %d"), sme_session_id);
+        return eHAL_STATUS_FAILURE;
+    }
     profile = vos_mem_malloc(sizeof(*profile));
     if (NULL == profile) {
         smsLog(mac, LOGE, FL("Memory allocation failure for profile"));
@@ -749,6 +758,11 @@
     }
 
     session = CSR_GET_SESSION(mac, pre_auth_rsp->smeSessionId);
+    if (session == NULL) {
+        smsLog(mac, LOGE,
+               FL("Invalid Session ID %d"), pre_auth_rsp->smeSessionId);
+        return;
+    }
     if (session->abortConnection) {
         smsLog(mac, LOGE,
                FL("Disconnect in progress, stop preauth/reassoc timer"));