qcacmn: Fix possible NULL pointer dereference access
In multiple functions of hif_sdio_recv.c and hif_scatter.c, there is
A_ASSERT to check NULL pointers which might null operation if it is
not debug build.
Fix it by adding proper error handle if pointer is NULL
Change-Id: Ib183366d4a1193a3cf22aae2f3431efa761d1d35
CRs-Fixed: 2058905
diff --git a/hif/src/sdio/hif_sdio_recv.c b/hif/src/sdio/hif_sdio_recv.c
index c64fdb0..153dcf0 100644
--- a/hif/src/sdio/hif_sdio_recv.c
+++ b/hif/src/sdio/hif_sdio_recv.c
@@ -488,8 +488,9 @@
pBundledLookAheadRpt->LookAhead3;
pBundledLookAheadRpt++;
}
-
- *num_look_aheads = i;
+ if (num_look_aheads) {
+ *num_look_aheads = i;
+ }
}
break;
default:
@@ -733,6 +734,9 @@
i++) {
packet = htc_packet_dequeue(recv_pkt_queue);
A_ASSERT(packet != NULL);
+ if (!packet) {
+ break;
+ }
padded_length =
DEV_CALC_RECV_PADDED_LEN(pdev, packet->ActualLength);
@@ -750,13 +754,16 @@
}
packet->PktInfo.AsRx.HTCRxFlags |= HTC_RX_PKT_PART_OF_BUNDLE;
- HTC_PACKET_ENQUEUE(sync_completion_queue, packet);
-
+ if (sync_completion_queue) {
+ HTC_PACKET_ENQUEUE(sync_completion_queue, packet);
+ }
total_length += padded_length;
}
#ifdef DEBUG_BUNDLE
qdf_print("Recv bundle count %d, length %d.\n",
- HTC_PACKET_QUEUE_DEPTH(sync_completion_queue), total_length);
+ sync_completion_queue ?
+ HTC_PACKET_QUEUE_DEPTH(sync_completion_queue) : 0,
+ total_length);
#endif
status = hif_read_write(pdev->HIFDevice,
@@ -926,6 +933,10 @@
/* dequeue one packet */
packet = htc_packet_dequeue(&recv_pkt_queue);
A_ASSERT(packet != NULL);
+ if (!packet) {
+ break;
+ }
+
packet->Completion = NULL;
if (HTC_PACKET_QUEUE_DEPTH(&recv_pkt_queue) >
@@ -971,6 +982,9 @@
packet = htc_packet_dequeue(&sync_completed_pkts_queue);
A_ASSERT(packet != NULL);
+ if (!packet) {
+ break;
+ }
num_look_aheads = 0;
status =
@@ -1064,7 +1078,7 @@
* of CPU INT register
*/
if (cpu_int_status & 0x1) {
- if (pdev && pdev->hif_callbacks.fwEventHandler)
+ if (pdev->hif_callbacks.fwEventHandler)
/* It calls into HTC which propagates this
* to ol_target_failure()
*/
diff --git a/hif/src/sdio/native_sdio/src/hif_scatter.c b/hif/src/sdio/native_sdio/src/hif_scatter.c
index 50ce7ec..85fa0fe 100644
--- a/hif/src/sdio/native_sdio/src/hif_scatter.c
+++ b/hif/src/sdio/native_sdio/src/hif_scatter.c
@@ -122,6 +122,9 @@
req_priv = busrequest->scatter_req;
A_ASSERT(req_priv != NULL);
+ if (!req_priv) {
+ return QDF_STATUS_E_FAILURE;
+ }
req = req_priv->hif_scatter_req;
@@ -226,7 +229,9 @@
(unsigned long)busrequest, status));
/* complete the request */
A_ASSERT(req->completion_routine != NULL);
- req->completion_routine(req);
+ if (req->completion_routine) {
+ req->completion_routine(req);
+ }
} else {
AR_DEBUG_PRINTF(ATH_DEBUG_SCATTER,
("HIF-SCATTER async_task upping busreq : 0x%lX (%d)\n",
@@ -258,6 +263,9 @@
do {
A_ASSERT(req_priv != NULL);
+ if (!req_priv) {
+ break;
+ }
AR_DEBUG_PRINTF(ATH_DEBUG_SCATTER,
("HIF-SCATTER: total len: %d Scatter Entries: %d\n",
@@ -455,6 +463,9 @@
req_priv = (struct HIF_SCATTER_REQ_PRIV *)req->hif_private[0];
A_ASSERT(req_priv != NULL);
+ if (!req_priv) {
+ continue;
+ }
if (req_priv->busrequest != NULL) {
req_priv->busrequest->scatter_req = NULL;