commit 21ad43430c439c753c5ff58d5d3feb0c31106252
author Arif Hussain <arifhussain@codeaurora.org> Thu Dec 21 12:00:54 2017 -0800
committer snandini <snandini@codeaurora.org> Fri Dec 22 15:26:08 2017 -0800
tree 9bdd6e0dfe8c1fd9c5d80c714aeaf0f10c088c0d
parent b956c03cb0ec647944844dd3067c4cf47397e300

qcacld-3.0: Add null pointer check and fix buffer overflow in sap

Add null pointer validation and fix possible buffer overflow issue
in sap module.

Change-Id: I314e07a31368dd3ca854b9aeab4a0bce0402a81b
CRs-Fixed: 2162246

core/sap/src/sap_api_link_cntl.c

diff --git a/core/sap/src/sap_api_link_cntl.c b/core/sap/src/sap_api_link_cntl.c
index e7b6bdb..484dec3 100644
--- a/core/sap/src/sap_api_link_cntl.c
+++ b/core/sap/src/sap_api_link_cntl.c
@@ -841,6 +841,12 @@
 	tHalHandle hal;
 
 	hal = CDS_GET_HAL_CB();
+	if (!hal) {
+		QDF_TRACE(QDF_MODULE_ID_SAP, QDF_TRACE_LEVEL_ERROR,
+			  FL("null hal"));
+		return;
+	}
+
 	mac_ctx->sap.SapDfsInfo.target_channel =
 				sap_ctx->dfs_vendor_channel;
 

core/sap/src/sap_ch_select.c

diff --git a/core/sap/src/sap_ch_select.c b/core/sap/src/sap_ch_select.c
index 45243c4..0e353d1 100644
--- a/core/sap/src/sap_ch_select.c
+++ b/core/sap/src/sap_ch_select.c
@@ -2507,7 +2507,7 @@
 	uint8_t best_ch_num = SAP_CHANNEL_NOT_SELECTED;
 	uint32_t ht40plus2gendch = 0;
 	v_REGDOMAIN_t domain;
-	uint8_t country[CDS_COUNTRY_CODE_LEN];
+	uint8_t country[CDS_COUNTRY_CODE_LEN + 1];
 #ifdef SOFTAP_CHANNEL_RANGE
 	uint8_t count;
 	uint32_t start_ch_num, end_ch_num, tmp_ch_num, operating_band = 0;

core/sap/src/sap_fsm.c

diff --git a/core/sap/src/sap_fsm.c b/core/sap/src/sap_fsm.c
index 7d90b17..ceb675d 100644
--- a/core/sap/src/sap_fsm.c
+++ b/core/sap/src/sap_fsm.c
@@ -1820,6 +1820,12 @@
 						mac_ctx->psoc,
 						sap_context->self_mac_addr,
 						WLAN_LEGACY_SME_ID);
+		if (!vdev) {
+			QDF_TRACE(QDF_MODULE_ID_SAP, QDF_TRACE_LEVEL_ERROR,
+				  FL("Invalid vdev objmgr"));
+			return QDF_STATUS_E_INVAL;
+		}
+
 		ucfg_scan_init_default_params(vdev, req);
 		req->scan_req.dwell_time_active = 0;
 		req->scan_req.scan_id = ucfg_scan_get_scan_id(mac_ctx->psoc);