wlan: Avoid dereference of pointer after free
Fix to avoid dereference of pointer after free and
initialize pointer before use.
Change-Id: I845f02b3f513b7fb202def187a3b87624b1cd236
CRs-Fixed: 1041573
diff --git a/CORE/MAC/src/pe/lim/limProcessMessageQueue.c b/CORE/MAC/src/pe/lim/limProcessMessageQueue.c
index 1930dcf..d7cb4b1 100644
--- a/CORE/MAC/src/pe/lim/limProcessMessageQueue.c
+++ b/CORE/MAC/src/pe/lim/limProcessMessageQueue.c
@@ -2252,7 +2252,7 @@
{
tpPESession psessionEntry;
tANI_U8 sessionId;
- tDphHashNode *pStaDs;
+ tDphHashNode *pStaDs = NULL;
int i, aid;
tTdlsLinkEstablishParams *pTdlsLinkEstablishParams;
pTdlsLinkEstablishParams = (tTdlsLinkEstablishParams*) limMsg->bodyptr;
@@ -2289,11 +2289,17 @@
}
}
send_link_resp:
- limSendSmeTdlsLinkEstablishReqRsp(pMac,
+ if (pStaDs)
+ limSendSmeTdlsLinkEstablishReqRsp(pMac,
psessionEntry->smeSessionId,
pStaDs->staAddr,
pStaDs,
pTdlsLinkEstablishParams->status) ;
+ else
+ limSendSmeTdlsLinkEstablishReqRsp(pMac,
+ psessionEntry->smeSessionId,
+ NULL, NULL,
+ pTdlsLinkEstablishParams->status) ;
}
vos_mem_free((v_VOID_t *)(limMsg->bodyptr));
limMsg->bodyptr = NULL;
@@ -2304,7 +2310,7 @@
{
tpPESession psessionEntry;
tANI_U8 sessionId;
- tDphHashNode *pStaDs;
+ tDphHashNode *pStaDs = NULL;
int i, aid;
tTdlsChanSwitchParams *pTdlsChanSwitchParams;
pTdlsChanSwitchParams = (tTdlsChanSwitchParams*) limMsg->bodyptr;
@@ -2341,11 +2347,17 @@
}
}
send_chan_switch_resp:
- limSendSmeTdlsChanSwitchReqRsp(pMac,
+ if (pStaDs)
+ limSendSmeTdlsChanSwitchReqRsp(pMac,
psessionEntry->smeSessionId,
pStaDs->staAddr,
pStaDs,
- pTdlsChanSwitchParams->status) ;
+ pTdlsChanSwitchParams->status);
+ else
+ limSendSmeTdlsChanSwitchReqRsp(pMac,
+ psessionEntry->smeSessionId,
+ NULL, NULL,
+ pTdlsChanSwitchParams->status);
}
vos_mem_free((v_VOID_t *)(limMsg->bodyptr));
limMsg->bodyptr = NULL;
diff --git a/CORE/WDA/src/wlan_qct_wda.c b/CORE/WDA/src/wlan_qct_wda.c
index 57a008c..1685e02 100644
--- a/CORE/WDA/src/wlan_qct_wda.c
+++ b/CORE/WDA/src/wlan_qct_wda.c
@@ -14999,10 +14999,10 @@
FL("Fwr Mem Dump Req failed, free all the memory"));
status = CONVERT_WDI2VOS_STATUS(wstatus);
vos_mem_free(pWdaParams->wdaWdiApiMsgParam) ;
- vos_mem_free(pWdaParams->wdaMsgParam);
- vos_mem_free(pWdaParams);
pWdaParams->wdaWdiApiMsgParam = NULL;
+ vos_mem_free(pWdaParams->wdaMsgParam);
pWdaParams->wdaMsgParam = NULL;
+ vos_mem_free(pWdaParams);
}
return status;