qcacmn: NULL pointer dereference in free_htc_bundle_packet() Inside free_htc_bundle_packet() if the HTC packet queue associated with a packet is NULL, a NULL pointer dereference can occur. Add check to verify that HTC packet queue is not NULL before dereferencing. Change-Id: I1965a66de74b8954fdc59733e5ef86120f4f8898 Crs-Fixed: 2232839

commit: fcc2488d253b9f0f32c82de6bec9e4b30805db5b [log] [tgz]
author: jitiphil <jitiphil@codeaurora.org> Fri May 11 16:14:38 2018 +0530
committer: nshrivas <nshrivas@codeaurora.org> Wed Jun 13 12:30:58 2018 -0700
tree: 84c1c78cfeac9c54d1248e13feb4ddeb3e512968
parent: e6168d475d40831101c2413c1d3a40bb660c6dc4 [diff] [blame]
diff --git a/htc/htc_send.c b/htc/htc_send.c
index d9a769f..baaed14 100644
--- a/htc/htc_send.c
+++ b/htc/htc_send.c

@@ -230,9 +230,13 @@
 
 	/* restore queue */
 	pQueueSave = (HTC_PACKET_QUEUE *) pPacket->pContext;
-	AR_DEBUG_ASSERT(pQueueSave);
-
-	INIT_HTC_PACKET_QUEUE(pQueueSave);
+	if (qdf_unlikely(!pQueueSave)) {
+		AR_DEBUG_PRINTF(ATH_DEBUG_ERR,
+				("\n%s: Invalid pQueueSave in HTC Packet\n",
+				__func__));
+		AR_DEBUG_ASSERT(pQueueSave);
+	} else
+		INIT_HTC_PACKET_QUEUE(pQueueSave);
 
 	LOCK_HTC_TX(target);
 	if (target->pBundleFreeList == NULL) {
commit	fcc2488d253b9f0f32c82de6bec9e4b30805db5b	[log] [tgz]
author	jitiphil <jitiphil@codeaurora.org>	Fri May 11 16:14:38 2018 +0530
committer	nshrivas <nshrivas@codeaurora.org>	Wed Jun 13 12:30:58 2018 -0700
tree	84c1c78cfeac9c54d1248e13feb4ddeb3e512968
parent	e6168d475d40831101c2413c1d3a40bb660c6dc4 [diff] [blame]