diff --git a/core/sme/src/csr/csr_api_roam.c b/core/sme/src/csr/csr_api_roam.c index 16e56c4b4d..81ca42cf48 100644 --- a/core/sme/src/csr/csr_api_roam.c +++ b/core/sme/src/csr/csr_api_roam.c @@ -5019,15 +5019,22 @@ static void csr_roam_join_handle_profile(tpAniSirGlobal mac_ctx, uint8_t acm_mask = 0; #endif QDF_STATUS status; - tCsrRoamSession *session = CSR_GET_SESSION(mac_ctx, session_id); + tCsrRoamSession *session; tCsrRoamProfile *profile = &cmd->u.roamCmd.roamProfile; tDot11fBeaconIEs *ies_local = NULL; + + if (!CSR_IS_SESSION_VALID(mac_ctx, session_id)) { + sms_log(mac_ctx, LOGE, FL("Invalid session id %d"), session_id); + return; + } + session = CSR_GET_SESSION(mac_ctx, session_id); + /* * We have something to roam, tell HDD when it is infra. * For IBSS, the indication goes back to HDD via eCSR_ROAM_IBSS_IND */ - if (CSR_IS_INFRASTRUCTURE(profile)) { - if (roam_info_ptr && session->bRefAssocStartCnt) { + if (CSR_IS_INFRASTRUCTURE(profile) && roam_info_ptr) { + if (session->bRefAssocStartCnt) { session->bRefAssocStartCnt--; roam_info_ptr->pProfile = profile; /* @@ -6052,10 +6059,16 @@ static void csr_roam_process_results_default(tpAniSirGlobal mac_ctx, tSmeCmd *cmd, void *context, eCsrRoamCompleteResult res) { uint32_t session_id = cmd->sessionId; - tCsrRoamSession *session = CSR_GET_SESSION(mac_ctx, session_id); + tCsrRoamSession *session; tCsrRoamInfo roam_info; QDF_STATUS status; + if (!CSR_IS_SESSION_VALID(mac_ctx, session_id)) { + sms_log(mac_ctx, LOGE, FL("Invalid session id %d"), session_id); + return; + } + session = CSR_GET_SESSION(mac_ctx, session_id); + sms_log(mac_ctx, LOGW, FL("receives no association indication")); sms_log(mac_ctx, LOG1, FL("Assoc ref count %d"), session->bRefAssocStartCnt); @@ -6252,7 +6265,7 @@ static void csr_roam_process_start_bss_success(tpAniSirGlobal mac_ctx, { uint32_t session_id = cmd->sessionId; tCsrRoamProfile *profile = &cmd->u.roamCmd.roamProfile; - tCsrRoamSession *session = CSR_GET_SESSION(mac_ctx, session_id); + tCsrRoamSession *session; tSirBssDescription *bss_desc = NULL; tCsrRoamInfo roam_info; tSirSmeStartBssRsp *start_bss_rsp = NULL; @@ -6269,6 +6282,12 @@ static void csr_roam_process_start_bss_success(tpAniSirGlobal mac_ctx, tCsrRoamHTProfile *dst_profile = NULL; #endif + if (!CSR_IS_SESSION_VALID(mac_ctx, session_id)) { + sms_log(mac_ctx, LOGE, FL("Invalid session id %d"), session_id); + return; + } + session = CSR_GET_SESSION(mac_ctx, session_id); + /* * on the StartBss Response, LIM is returning the Bss Description that * we are beaconing. Add this Bss Description to our scan results and @@ -6460,7 +6479,7 @@ static void csr_roam_process_join_res(tpAniSirGlobal mac_ctx, uint8_t acm_mask = 0; /* HDD needs ACM mask in assoc rsp callback */ uint32_t session_id = cmd->sessionId; tCsrRoamProfile *profile = &cmd->u.roamCmd.roamProfile; - tCsrRoamSession *session = CSR_GET_SESSION(mac_ctx, session_id); + tCsrRoamSession *session; tSirBssDescription *bss_desc = NULL; tCsrScanResult *scan_res = NULL; sme_qos_csr_event_indType ind_qos; @@ -6475,6 +6494,12 @@ static void csr_roam_process_join_res(tpAniSirGlobal mac_ctx, tSirSmeJoinRsp *join_rsp = (tSirSmeJoinRsp *) context; uint32_t len; + if (!CSR_IS_SESSION_VALID(mac_ctx, session_id)) { + sms_log(mac_ctx, LOGE, FL("Invalid session id %d"), session_id); + return; + } + session = CSR_GET_SESSION(mac_ctx, session_id); + conn_profile = &session->connectedProfile; if (eCsrReassocSuccess == res) ind_qos = SME_QOS_CSR_REASSOC_COMPLETE; @@ -18747,20 +18772,20 @@ void csr_process_nss_update_req(tpAniSirGlobal mac, tSmeCmd *command) QDF_STATUS status; tSirMsgQ msg_return; struct sir_beacon_tx_complete_rsp *param; - - tCsrRoamSession *session = - CSR_GET_SESSION(mac, command->sessionId); - - if (!session) { - sms_log(mac, LOGE, FL("Session not found")); - goto fail; - } + tCsrRoamSession *session; if (!command) { sms_log(mac, LOGE, FL("nss update param is NULL")); - goto fail; + return; } + if (!CSR_IS_SESSION_VALID(mac, command->sessionId)) { + sms_log(mac, LOGE, FL("Invalid session id %d"), + command->sessionId); + return; + } + session = CSR_GET_SESSION(mac, command->sessionId); + len = sizeof(*msg); msg = qdf_mem_malloc(len); if (!msg) {