qcacld-3.0: Update roam_profile->pAddIEScan during connect

The hdd_roam_profile->pAddIEScan is updated to point to the
default_scan_ie if nAddIEScanLength is 0. But if default_scan_ie
is updated from userspace before every connect and the
hdd_roam_profile->pAddIEScan pointer is not cleared on disconnect
due to scan for ssid in progress(during back to back connect),
then the nAddIEScanLength will not be 0, and
hdd_roam_profile->pAddIEScan will still point to the
default_scan_ie received from previous connect request, which is
already freed when new default_scan_ie is received. This causes
invalid memory access during csr_roam_copy_profile() during the
scan for SSID of the second connect.

So update the roam_profile_>pAddIEScan during connect start
irrespective of the nAddIEScanLength.

Change-Id: I33080048b27267a0af336096f9e33dfb071869eb
CRs-Fixed: 2817188

core/hdd/src/wlan_hdd_cfg80211.c

@@ -18861,18 +18861,17 @@ static int wlan_hdd_cfg80211_connect_start(struct hdd_adapter *adapter,
 		 */
 		if (adapter->device_mode == QDF_STA_MODE &&
 		    (adapter->scan_info.default_scan_ies ||
-		     adapter->scan_info.scan_add_ie.length) &&
-		    !roam_profile->nAddIEScanLength) {
-			if (adapter->scan_info.default_scan_ies) {
-				roam_profile->pAddIEScan =
-					adapter->scan_info.default_scan_ies;
-				roam_profile->nAddIEScanLength =
-					adapter->scan_info.default_scan_ies_len;
-			} else if (adapter->scan_info.scan_add_ie.length) {
+		     adapter->scan_info.scan_add_ie.length)) {
+			if (adapter->scan_info.scan_add_ie.length) {
 				roam_profile->pAddIEScan =
 					adapter->scan_info.scan_add_ie.addIEdata;
 				roam_profile->nAddIEScanLength =
 					adapter->scan_info.scan_add_ie.length;
+			} else if (adapter->scan_info.default_scan_ies) {
+				roam_profile->pAddIEScan =
+					adapter->scan_info.default_scan_ies;
+				roam_profile->nAddIEScanLength =
+					adapter->scan_info.default_scan_ies_len;
 			}
 		}
 

core/sme/src/csr/csr_api_roam.c

@@ -7837,7 +7837,7 @@ QDF_STATUS csr_roam_copy_profile(struct mac_context *mac,
 			pSrcProfile->nWAPIReqIELength);
 	}
 #endif /* FEATURE_WLAN_WAPI */
-	if (pSrcProfile->nAddIEScanLength) {
+	if (pSrcProfile->nAddIEScanLength && pSrcProfile->pAddIEScan) {
 		pDstProfile->pAddIEScan =
 			qdf_mem_malloc(pSrcProfile->nAddIEScanLength);
 		if (!pDstProfile->pAddIEScan) {