Fix the NULL pointer dereference in csr neighbor roaming.
Reset the num of channels to zero in channel list info when the
channel list becomes empty. Not resetting the num of channels info
leading to NULL derefernce in csrNeighborRoamPrepareScanProfileFilter
function.
Change-Id: I3f972a7e8ec7e82c4716ca5efd5946ce0d4a369f
CRs-Fixed: 465462
diff --git a/CORE/SME/src/csr/csrNeighborRoam.c b/CORE/SME/src/csr/csrNeighborRoam.c
index 151df77..d380e44 100644
--- a/CORE/SME/src/csr/csrNeighborRoam.c
+++ b/CORE/SME/src/csr/csrNeighborRoam.c
@@ -1529,6 +1529,7 @@
status);
vos_mem_free(pNeighborRoamInfo->roamChannelInfo.currentChannelListInfo.ChannelList);
pNeighborRoamInfo->roamChannelInfo.currentChannelListInfo.ChannelList = NULL;
+ pNeighborRoamInfo->roamChannelInfo.currentChannelListInfo.numOfChannels = 0;
vosStatus = VOS_STATUS_E_FAILURE;
}
else
@@ -1549,6 +1550,7 @@
status);
vos_mem_free(pNeighborRoamInfo->roamChannelInfo.currentChannelListInfo.ChannelList);
pNeighborRoamInfo->roamChannelInfo.currentChannelListInfo.ChannelList = NULL;
+ pNeighborRoamInfo->roamChannelInfo.currentChannelListInfo.numOfChannels = 0;
vosStatus = VOS_STATUS_E_FAILURE;
}
else
@@ -1727,6 +1729,7 @@
smsLog(pMac, LOGE, FL("Neighbor results refresh timer failed to start, status = %d"), hstatus);
vos_mem_free(pNeighborRoamInfo->roamChannelInfo.currentChannelListInfo.ChannelList);
pNeighborRoamInfo->roamChannelInfo.currentChannelListInfo.ChannelList = NULL;
+ pNeighborRoamInfo->roamChannelInfo.currentChannelListInfo.numOfChannels = 0;
return eHAL_STATUS_FAILURE;
}
@@ -1831,6 +1834,7 @@
smsLog(pMac, LOGE, FL("Neighbor scan PAL Timer start failed, status = %d, Ignoring state transition"), status);
vos_mem_free(pNeighborRoamInfo->roamChannelInfo.currentChannelListInfo.ChannelList);
pNeighborRoamInfo->roamChannelInfo.currentChannelListInfo.ChannelList = NULL;
+ pNeighborRoamInfo->roamChannelInfo.currentChannelListInfo.numOfChannels = 0;
return eHAL_STATUS_FAILURE;
}
}
@@ -2455,6 +2459,7 @@
}
pNeighborRoamInfo->roamChannelInfo.currentChannelListInfo.ChannelList = NULL;
+ pNeighborRoamInfo->roamChannelInfo.currentChannelListInfo.numOfChannels = 0;
/* Store the obtained channel list to the Neighbor Control data structure */
if (numChannels)
pNeighborRoamInfo->roamChannelInfo.currentChannelListInfo.ChannelList = vos_mem_malloc((numChannels) * sizeof(tANI_U8));
@@ -2531,6 +2536,7 @@
smsLog(pMac, LOGE, FL("PAL Timer start for neighbor scan timer failed, status = %d, Ignoring state transition"), status);
vos_mem_free(pNeighborRoamInfo->roamChannelInfo.currentChannelListInfo.ChannelList);
pNeighborRoamInfo->roamChannelInfo.currentChannelListInfo.ChannelList = NULL;
+ pNeighborRoamInfo->roamChannelInfo.currentChannelListInfo.numOfChannels = 0;
return;
}
pNeighborRoamInfo->FTRoamInfo.currentNeighborRptRetryNum = 0;
@@ -2804,6 +2810,7 @@
{
vos_mem_free(currChannelListInfo->ChannelList);
currChannelListInfo->ChannelList = NULL;
+ currChannelListInfo->numOfChannels = 0;
}
// Now obtain the contents for "channelList" (the "default valid channel list") from EITHER
@@ -2982,6 +2989,7 @@
smsLog(pMac, LOGE, FL("Neighbor scan PAL Timer start failed, status = %d, Ignoring state transition"), status);
vos_mem_free(currChannelListInfo->ChannelList);
currChannelListInfo->ChannelList = NULL;
+ currChannelListInfo->numOfChannels = 0;
return VOS_STATUS_E_FAILURE;
}