samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacmn: Check pointer before dereference it

Browse Source 
sync_completion_queue pass to function hif_dev_issue_recv_packet_bundle
may be NULL when asyncProc is true, and this queue pointer will be
dereferenced in HTC_PACKET_QUEUE_ITERATE_ALLOW_REMOVE.

Add checking before dereference this pointer.

Change-Id: I7e6f7923c819a7af8ed5444853ee74ffe1dd1a76
CRs-Fixed: 2071228
This commit is contained in:
Will Huang
2017-07-05 08:43:27 +08:00
committed by snandini
parent 4f7c305cfa
commit 2411f76c2b
1 changed files with 11 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
hif/src/sdio/hif_sdio_recv.c
View File

@@ -779,14 +779,17 @@ static QDF_STATUS hif_dev_issue_recv_packet_bundle(struct hif_sdio_device *pdev,
} else {
unsigned char *buffer = bundle_buffer;
*num_packets_fetched = i;
HTC_PACKET_QUEUE_ITERATE_ALLOW_REMOVE(sync_completion_queue,
packet) {
padded_length =
DEV_CALC_RECV_PADDED_LEN(pdev,
packet->ActualLength);
A_MEMCPY(packet->pBuffer, buffer, padded_length);
buffer += padded_length;
} HTC_PACKET_QUEUE_ITERATE_END;
if (sync_completion_queue) {
HTC_PACKET_QUEUE_ITERATE_ALLOW_REMOVE(
sync_completion_queue, packet) {
padded_length =
DEV_CALC_RECV_PADDED_LEN(pdev,
packet->ActualLength);
A_MEMCPY(packet->pBuffer,
buffer, padded_length);
buffer += padded_length;
} HTC_PACKET_QUEUE_ITERATE_END;
}
}
/* free bundle space under Sync mode */
free_htc_bundle_packet(target, packet_rx_bundle);