wlan: Array out of bound due to invalid session Id
In background scanning, csrNeighborRoamIssueBgScanRequest
passes CSR_SESSION_ID_INVALID(0xFF) as argument-sessionId to
csrScanRequest(). In csrRoamGetConnectState roamSession points
to sessions up to max 5. Invalid session id 0xFF results in page
fault error.
Fix this by adding session id validity check and return
appropriate error status to the calling function.
CRs-Fixed: 453007
diff --git a/CORE/SME/src/csr/csrApiRoam.c b/CORE/SME/src/csr/csrApiRoam.c
index c3eeee9..93b3099 100755
--- a/CORE/SME/src/csr/csrApiRoam.c
+++ b/CORE/SME/src/csr/csrApiRoam.c
@@ -633,7 +633,7 @@
eHalStatus csrRoamGetConnectState(tpAniSirGlobal pMac, tANI_U32 sessionId, eCsrConnectState *pState)
{
eHalStatus status = eHAL_STATUS_INVALID_PARAMETER;
- if( pState )
+ if ( CSR_IS_SESSION_VALID(pMac, sessionId) && (NULL != pState) )
{
status = eHAL_STATUS_SUCCESS;
*pState = pMac->roam.roamSession[sessionId].connectState;
diff --git a/CORE/SME/src/csr/csrApiScan.c b/CORE/SME/src/csr/csrApiScan.c
index 7657411..970be45 100755
--- a/CORE/SME/src/csr/csrApiScan.c
+++ b/CORE/SME/src/csr/csrApiScan.c
@@ -743,7 +743,8 @@
For BTC with A2DP up: Channel time will not be doubled, if station is already associated.
*/
status = csrRoamGetConnectState(pMac,sessionId,&ConnectState);
- if(pMac->btc.fA2DPUp &&
+ if (HAL_STATUS_SUCCESS(status) &&
+ pMac->btc.fA2DPUp &&
(eCSR_ASSOC_STATE_TYPE_INFRA_ASSOCIATED != ConnectState) &&
(eCSR_ASSOC_STATE_TYPE_IBSS_CONNECTED != ConnectState))
{