Home Explore Help
Sign In
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

qcacld-3.0: Fix NULL pointer de-reference in wma functions

Add null pointer check after malloc/utility function call in function:
 * wma_update_tdls_peer_state
 * wma_init_max_no_of_peers
 * wma_mgmt_tx_completion_handler
 * wma_ocb_set_config
 * wma_roam_scan_offload_chan_list
 * wma_roam_scan_filter
 * wma_pno_start
 * wma_start_extscan

Change-Id: I3c46ffe19e98146a5e96781a88295af88274a74f
CRs-Fixed: 1034255
Naveen Rawat 8 years ago
parent
e9fb4cef92
commit
35804773da
5 changed files with 39 additions and 2 deletions
Split View Show Diff Stats
  1. 6 0
      core/wma/src/wma_features.c
  2. 5 0
      core/wma/src/wma_main.c
  3. 6 1
      core/wma/src/wma_mgmt.c
  4. 4 0
      core/wma/src/wma_ocb.c
  5. 18 1
      core/wma/src/wma_scan_roam.c

+ 6 - 0
core/wma/src/wma_features.c
View File 

@@ -6481,6 +6481,12 @@ int wma_update_tdls_peer_state(WMA_HANDLE handle,
 
 
 	ch_mhz = qdf_mem_malloc(sizeof(uint32_t) *
 
 			 peerStateParams->peerCap.peerChanLen);
 
+	if (ch_mhz == NULL) {
 
+		WMA_LOGE("%s: memory allocation failed", __func__);
 
+		ret = -ENOMEM;
 
+		goto end_tdls_peer_state;
 
+	}
 
+
 
 	for (i = 0; i < peerStateParams->peerCap.peerChanLen; ++i) {
 
 		ch_mhz[i] =
 
 			cds_chan_to_freq(peerStateParams->peerCap.peerChan[i].

+ 5 - 0
core/wma/src/wma_main.c
View File 

@@ -1592,6 +1592,11 @@ static void wma_init_max_no_of_peers(tp_wma_handle wma_handle,
 
 {
 
 	struct wma_ini_config *cfg = wma_get_ini_handle(wma_handle);
 
 
+	if (cfg == NULL) {
 
+		WMA_LOGE("%s: NULL WMA ini handle", __func__);
 
+		return;
 
+	}
 
+
 
 	cfg->max_no_of_peers = max_peers;
 
 }

+ 6 - 1
core/wma/src/wma_mgmt.c
View File 

@@ -2463,9 +2463,14 @@ int wma_mgmt_tx_completion_handler(void *handle, uint8_t *cmpl_event_params,
 
 
 	ol_txrx_pdev_handle pdev = cds_get_context(QDF_MODULE_ID_TXRX);
 
 
+	if (pdev == NULL) {
 
+		WMA_LOGE("%s: NULL pdev pointer", __func__);
 
+		return -EINVAL;
 
+	}
 
+
 
 	param_buf = (WMI_MGMT_TX_COMPLETION_EVENTID_param_tlvs *)
 
 		cmpl_event_params;
 
-	if (!param_buf && !wma_handle) {
 
+	if (!param_buf || !wma_handle) {
 
 		WMA_LOGE("%s: Invalid mgmt Tx completion event", __func__);
 
 		return -EINVAL;
 
 	}

+ 4 - 0
core/wma/src/wma_ocb.c
View File 

@@ -252,6 +252,10 @@ int wma_ocb_set_config(tp_wma_handle wma_handle, struct sir_ocb_config *config)
 
 	tconfig.dcc_ndl_active_state_list_len = config->dcc_ndl_active_state_list_len;
 
 	tconfig.dcc_ndl_active_state_list = config->dcc_ndl_active_state_list;
 
 	ch_mhz = qdf_mem_malloc(sizeof(uint32_t)*config->channel_count);
 
+	if (ch_mhz == NULL) {
 
+		WMA_LOGE(FL("Memory allocation failed"));
 
+		return -ENOMEM;
 
+	}
 
 
 	for (i = 0; i < config->channel_count; i++)
 
 		ch_mhz[i] = wma_ocb_freq_to_mode(config->channels[i].chan_freq);

+ 18 - 1
core/wma/src/wma_scan_roam.c
View File 

@@ -981,6 +981,11 @@ QDF_STATUS wma_roam_scan_offload_chan_list(tp_wma_handle wma_handle,
 
 		return QDF_STATUS_E_EMPTY;
 
 	}
 
 	chan_list_hz = qdf_mem_malloc(chan_count * sizeof(uint8_t));
 
+	if (chan_list_hz == NULL) {
 
+		WMA_LOGE("%s : Memory allocation failed", __func__);
 
+		return QDF_STATUS_E_NOMEM;
 
+	}
 
+
 
 	for (i = 0; ((i < chan_count) &&
 
 		     (i < SIR_ROAM_MAX_CHANNELS)); i++) {
 
 		chan_list_hz[i] = cds_chan_to_freq(chan_list[i]);
 
@@ -1530,6 +1535,11 @@ QDF_STATUS wma_roam_scan_filter(tp_wma_handle wma_handle,
 
 	struct roam_scan_filter_params *params;
 
 
 	params = qdf_mem_malloc(sizeof(struct roam_scan_filter_params));
 
+	if (params == NULL) {
 
+		WMA_LOGE("%s : Memory allocation failed", __func__);
 
+		return QDF_STATUS_E_NOMEM;
 
+	}
 
+
 
 	roam_params = &roam_req->roam_params;
 
 	if (roam_req->Command != ROAM_SCAN_OFFLOAD_STOP) {
 
 		switch (roam_req->reason) {
 
@@ -1558,7 +1568,6 @@ QDF_STATUS wma_roam_scan_filter(tp_wma_handle wma_handle,
 
 		default:
 
 			WMA_LOGD("%s : Roam Filter need not be sent", __func__);
 
 			return QDF_STATUS_SUCCESS;
 
-			break;
 
 		}
 
 	} else {
 
 		/* In case of STOP command, reset all the variables
 
@@ -2921,6 +2930,10 @@ QDF_STATUS wma_pno_start(tp_wma_handle wma, tpSirPNOScanReq pno)
 
 	}
 
 
 	params = qdf_mem_malloc(sizeof(struct pno_scan_req_params));
 
+	if (params == NULL) {
 
+		WMA_LOGE("%s : Memory allocation failed", __func__);
 
+		return QDF_STATUS_E_NOMEM;
 
+	}
 
 
 	params->enable = pno->enable;
 
 	params->modePNO = (enum pno_mode) pno->modePNO;
 
@@ -4790,6 +4803,10 @@ QDF_STATUS wma_start_extscan(tp_wma_handle wma,
 
 	}
 
 
 	params = qdf_mem_malloc(sizeof(struct wifi_scan_cmd_req_params));
 
+	if (params == NULL) {
 
+		WMA_LOGE("%s : Memory allocation failed", __func__);
 
+		return QDF_STATUS_E_NOMEM;
 
+	}
 
 
 	params->basePeriod = pstart->basePeriod;
 
 	params->maxAPperScan = pstart->maxAPperScan;