wlan: Fix Null pointer dereference
Check session_entry is equal to NULL in Host driver before
de-reference it.
Fix is to add return status and do required cleanup
in case session_entry is NULL.
Change-Id: If42d8e1e4df68e6148f497cda6b12d7454158996
CRs-Fixed: 2195907
diff --git a/CORE/MAC/src/pe/lim/limProcessSmeReqMessages.c b/CORE/MAC/src/pe/lim/limProcessSmeReqMessages.c
index a4bb404..5276aa4 100644
--- a/CORE/MAC/src/pe/lim/limProcessSmeReqMessages.c
+++ b/CORE/MAC/src/pe/lim/limProcessSmeReqMessages.c
@@ -4142,6 +4142,11 @@
eLIM_CNF_WAIT_TIMER,
aid);
}
+ else
+ {
+ limLog(pmac, LOGE, FL("NULL sta_ds"));
+ goto end;
+ }
if (assoc_cnf.statusCode == eSIR_SME_SUCCESS)
{
sta_ds->mlmStaContext.mlmState = eLIM_MLM_LINK_ESTABLISHED_STATE;
diff --git a/CORE/MAC/src/pe/lim/limUtils.c b/CORE/MAC/src/pe/lim/limUtils.c
index 3bd1466..af86449 100644
--- a/CORE/MAC/src/pe/lim/limUtils.c
+++ b/CORE/MAC/src/pe/lim/limUtils.c
@@ -9044,6 +9044,11 @@
tpSirAssocReq assoc_req)
{
tpPESession session_entry = limIsApSessionActive(pmac);
+ if (session_entry == NULL)
+ {
+ limLog(pmac, LOGE, FL("Invalid Session Entry"));
+ goto error;
+ }
if (IS_DOT11_MODE_HT(session_entry->dot11mode) &&
assoc_req->HTCaps.present && assoc_req->wmeInfoPresent)
@@ -9168,7 +9173,11 @@
tHalBitVal qos_mode;
tHalBitVal wsm_mode, wme_mode;
tpPESession session_entry = limIsApSessionActive(pmac);
-
+ if (session_entry == NULL)
+ {
+ limLog(pmac, LOGE, FL("Invalid Session Entry"));
+ return;
+ }
limGetQosMode(session_entry, &qos_mode);
sta_ds->qosMode = eANI_BOOLEAN_FALSE;
sta_ds->lleEnabled = eANI_BOOLEAN_FALSE;
diff --git a/CORE/MAC/src/pe/lim/lim_mbb.c b/CORE/MAC/src/pe/lim/lim_mbb.c
index fdf18a2..9cd3501 100644
--- a/CORE/MAC/src/pe/lim/lim_mbb.c
+++ b/CORE/MAC/src/pe/lim/lim_mbb.c
@@ -63,6 +63,10 @@
tANI_U16 rsp_len = sizeof(tSirFTPreAuthRsp);
tpPESession session_entry_con_ap;
tpDphHashNode sta_ds = NULL;
+ if (session_entry == NULL) {
+ limLog(mac, LOGE, FL("Invalid Session Entry"));
+ return;
+ }
pre_auth_rsp = (tpSirFTPreAuthRsp)vos_mem_malloc(rsp_len);
if (NULL == pre_auth_rsp) {
@@ -77,9 +81,7 @@
pre_auth_rsp->length = (tANI_U16)rsp_len;
pre_auth_rsp->status = status;
pre_auth_rsp->reason = reason;
-
- if (session_entry)
- pre_auth_rsp->smeSessionId = session_entry->smeSessionId;
+ pre_auth_rsp->smeSessionId = session_entry->smeSessionId;
/* The bssid of the AP we are sending Auth1 to. */
if (mac->ft.ftPEContext.pFTPreAuthReq)
@@ -668,7 +670,7 @@
limLog(mac, LOGE,
FL("session does not exist for given BSSID" MAC_ADDRESS_STR),
MAC_ADDR_ARRAY(mac->ft.ftPEContext.pFTPreAuthReq->currbssId));
- goto end;
+ goto cleanup;
}
session_entry->smeSessionId = session_entry_con_ap->smeSessionId;
@@ -681,7 +683,7 @@
limLog(mac, LOGE,
FL("sta_ds NULL for given BSSID" MAC_ADDRESS_STR),
MAC_ADDR_ARRAY(mac->ft.ftPEContext.pFTPreAuthReq->currbssId));
- goto end;
+ goto cleanup;
}
/*
@@ -698,9 +700,9 @@
if (ret_code == eSIR_SUCCESS)
return;
-end:
/* Connected AP lim cleanup.*/
lim_cleanup_connected_ap(mac, sta_ds_connected_ap, session_entry_con_ap);
+cleanup:
/*
* eHAL_STATUS_INVALID_PARAMETER is used
* so that full cleanup is triggered.
@@ -721,7 +723,7 @@
static inline void lim_process_preauth_mbb_result(tpAniSirGlobal mac,
eHalStatus status, tANI_U32 *data)
{
- tpPESession session_entry, ft_session_entry;
+ tpPESession session_entry, ft_session_entry = NULL;
tpDphHashNode sta_ds;
tAddBssParams *add_bss_params;
tSirSmeJoinReq *reassoc_req;
@@ -853,7 +855,8 @@
return;
end:
- lim_handle_reassoc_mbb_fail(mac, ft_session_entry);
+ if (ft_session_entry)
+ lim_handle_reassoc_mbb_fail(mac, ft_session_entry);
}
/*
diff --git a/CORE/SME/src/csr/csr_roam_mbb.c b/CORE/SME/src/csr/csr_roam_mbb.c
index f701722..de81060 100644
--- a/CORE/SME/src/csr/csr_roam_mbb.c
+++ b/CORE/SME/src/csr/csr_roam_mbb.c
@@ -74,6 +74,11 @@
&mac->roam.neighborRoamInfo;
eHalStatus status;
+ if (session == NULL) {
+ smsLog(mac, LOGE, FL("Invalid Session ID %d"), session_id);
+ return eHAL_STATUS_FAILURE;
+ }
+
auth_req_len = sizeof(tSirFTPreAuthReq);
pre_auth_req = (tpSirFTPreAuthReq)vos_mem_malloc(auth_req_len);
if (NULL == pre_auth_req) {
@@ -453,7 +458,11 @@
/* Get profile */
session = CSR_GET_SESSION(mac, sme_session_id);
-
+ if (session == NULL) {
+ smsLog(mac, LOGE,
+ FL("Invalid Session ID %d"), sme_session_id);
+ return eHAL_STATUS_FAILURE;
+ }
profile = vos_mem_malloc(sizeof(*profile));
if (NULL == profile) {
smsLog(mac, LOGE, FL("Memory allocation failure for profile"));
@@ -749,6 +758,11 @@
}
session = CSR_GET_SESSION(mac, pre_auth_rsp->smeSessionId);
+ if (session == NULL) {
+ smsLog(mac, LOGE,
+ FL("Invalid Session ID %d"), pre_auth_rsp->smeSessionId);
+ return;
+ }
if (session->abortConnection) {
smsLog(mac, LOGE,
FL("Disconnect in progress, stop preauth/reassoc timer"));