qcacld-3.0: Check acs cfg channel list before access

Currently the driver does not check whether the
ACS cfg's chanel list is valid or not and checks
for the best channel within it in the function
wlansap_is_channel_present_in_acs_list, which can
lead to potential pointer deference.

Fix is to check the channel list and then only
process for comparison.

Change-Id: Icda2e7c8f260eb636c8159fbbb697400dddbdf74
CRs-Fixed: 2479941

core/hdd/src/wlan_hdd_cfg80211.c

@@ -1683,12 +1683,15 @@ int wlan_hdd_sap_cfg_dfs_override(struct hdd_adapter *adapter)
 		sap_config->acs_cfg.ch_list = qdf_mem_malloc(
 					sizeof(uint8_t) *
 					con_sap_config->acs_cfg.ch_list_count);
-		if (!sap_config->acs_cfg.ch_list)
+		if (!sap_config->acs_cfg.ch_list) {
+			sap_config->acs_cfg.ch_list_count = 0;
 			return -ENOMEM;
-
+		}
 		qdf_mem_copy(sap_config->acs_cfg.ch_list,
 					con_sap_config->acs_cfg.ch_list,
 					con_sap_config->acs_cfg.ch_list_count);
+		sap_config->acs_cfg.ch_list_count =
+					con_sap_config->acs_cfg.ch_list_count;
 
 	} else {
 		sap_config->acs_cfg.pri_ch = con_ch;
@@ -2965,9 +2968,11 @@ void wlan_hdd_undo_acs(struct hdd_adapter *adapter)
 	if (!adapter)
 		return;
 	if (adapter->session.ap.sap_config.acs_cfg.ch_list) {
+		hdd_debug("Clearing ACS cfg channel list");
 		qdf_mem_free(adapter->session.ap.sap_config.acs_cfg.ch_list);
 		adapter->session.ap.sap_config.acs_cfg.ch_list = NULL;
 	}
+	adapter->session.ap.sap_config.acs_cfg.ch_list_count = 0;
 }
 
 /**

core/sap/src/sap_module.c

@@ -2770,7 +2770,7 @@ QDF_STATUS wlansap_filter_ch_based_acs(struct sap_context *sap_ctx,
 	size_t ch_index;
 	size_t target_ch_cnt = 0;
 
-	if (!sap_ctx || !ch_list || !ch_cnt) {
+	if (!sap_ctx || !ch_list || !ch_cnt || !sap_ctx->acs_cfg->ch_list) {
 		sap_err("NULL parameters");
 		return QDF_STATUS_E_FAULT;
 	}