qcacmn: Check pointer before dereference it
sync_completion_queue pass to function hif_dev_issue_recv_packet_bundle
may be NULL when asyncProc is true, and this queue pointer will be
dereferenced in HTC_PACKET_QUEUE_ITERATE_ALLOW_REMOVE.
Add checking before dereference this pointer.
Change-Id: I7e6f7923c819a7af8ed5444853ee74ffe1dd1a76
CRs-Fixed: 2071228
diff --git a/hif/src/sdio/hif_sdio_recv.c b/hif/src/sdio/hif_sdio_recv.c
index 153dcf0..416c7ef 100644
--- a/hif/src/sdio/hif_sdio_recv.c
+++ b/hif/src/sdio/hif_sdio_recv.c
@@ -779,14 +779,17 @@
} else {
unsigned char *buffer = bundle_buffer;
*num_packets_fetched = i;
- HTC_PACKET_QUEUE_ITERATE_ALLOW_REMOVE(sync_completion_queue,
- packet) {
- padded_length =
- DEV_CALC_RECV_PADDED_LEN(pdev,
- packet->ActualLength);
- A_MEMCPY(packet->pBuffer, buffer, padded_length);
- buffer += padded_length;
- } HTC_PACKET_QUEUE_ITERATE_END;
+ if (sync_completion_queue) {
+ HTC_PACKET_QUEUE_ITERATE_ALLOW_REMOVE(
+ sync_completion_queue, packet) {
+ padded_length =
+ DEV_CALC_RECV_PADDED_LEN(pdev,
+ packet->ActualLength);
+ A_MEMCPY(packet->pBuffer,
+ buffer, padded_length);
+ buffer += padded_length;
+ } HTC_PACKET_QUEUE_ITERATE_END;
+ }
}
/* free bundle space under Sync mode */
free_htc_bundle_packet(target, packet_rx_bundle);