qcacld-3.0: Fix null pointer dereference in sending probe req

Add null check when accessing additional_ielen in function lim_send_probe_req_mgmt_frame function to avoid null pointer dereference. Change-Id: Ida382b274d211431ba808817cb0d5e9c3f783c0c CRs-Fixed: 2229848
2018-04-23 18:55:26 -07:00
--- a/core/mac/src/pe/lim/lim_send_management_frames.c
+++ b/core/mac/src/pe/lim/lim_send_management_frames.c
@@ -217,12 +217,15 @@ lim_send_probe_req_mgmt_frame(tpAniSirGlobal mac_ctx,
 	uint8_t sme_sessionid = 0;
 	bool is_vht_enabled = false;
 	uint8_t txPower;
-	uint16_t addn_ielen = *additional_ielen;
+	uint16_t addn_ielen = 0;
 	bool extracted_ext_cap_flag = false;
 	tDot11fIEExtCap extracted_ext_cap;
 	tSirRetStatus sir_status;
 	const uint8_t *qcn_ie = NULL;

+	if (additional_ielen)
+		addn_ielen = *additional_ielen;
+
 	/* The probe req should not send 11ac capabilieties if band is 2.4GHz,
 	 * unless enableVhtFor24GHz is enabled in INI. So if enableVhtFor24GHz
 	 * is false and dot11mode is 11ac set it to 11n.
@@ -364,7 +367,8 @@ lim_send_probe_req_mgmt_frame(tpAniSirGlobal mac_ctx,
 					(&extracted_ext_cap);
 			extracted_ext_cap_flag =
 				(extracted_ext_cap.num_bytes > 0);
-			*additional_ielen = addn_ielen;
+			if (additional_ielen)
+				*additional_ielen = addn_ielen;
 		}
 		qcn_ie = wlan_get_vendor_ie_ptr_from_oui(SIR_MAC_QCN_OUI_TYPE,
 				SIR_MAC_QCN_OUI_TYPE_SIZE,