qcacld-3.0: Fix null pointer dereference in SAP state fsm

Add a check against for NULL pointer before accessing roam_info
object pointer.

Change-Id: Id03a47761fa9624ddf76305f110f1f83bcb0a7cd
CRs-Fixed: 2232419

core/sap/src/sap_api_link_cntl.c

@@ -1109,6 +1109,12 @@ wlansap_roam_callback(void *ctx, struct csr_roam_info *csr_roam_info,
 						csr_roam_info, &qdf_ret_status);
 		break;
 	case eCSR_ROAM_RESULT_INFRA_ASSOCIATION_CNF:
+		if (!csr_roam_info) {
+			QDF_TRACE(QDF_MODULE_ID_SAP, QDF_TRACE_LEVEL_ERROR,
+				  "csr_roam_info is NULL");
+			qdf_ret_status = QDF_STATUS_E_NULL_VALUE;
+			break;
+		}
 		QDF_TRACE(QDF_MODULE_ID_SAP, QDF_TRACE_LEVEL_INFO_HIGH,
 			  FL("CSR roam_result = eCSR_ROAM_RESULT_INFRA_ASSOCIATION_CNF (%d)"),
 			  roam_result);
@@ -1190,6 +1196,12 @@ wlansap_roam_callback(void *ctx, struct csr_roam_info *csr_roam_info,
 				     (void *) eSAP_STATUS_SUCCESS);
 		break;
 	case eCSR_ROAM_RESULT_INFRA_STARTED:
+		if (!csr_roam_info) {
+			QDF_TRACE(QDF_MODULE_ID_SAP, QDF_TRACE_LEVEL_ERROR,
+				  "csr_roam_info is NULL");
+			qdf_ret_status = QDF_STATUS_E_NULL_VALUE;
+			break;
+		}
 		QDF_TRACE(QDF_MODULE_ID_SAP, QDF_TRACE_LEVEL_INFO_HIGH,
 			  FL("CSR roam_result = eCSR_ROAM_RESULT_INFRA_STARTED (%d)"),
 			  roam_result);

core/sme/src/csr/csr_api_roam.c

@@ -4249,8 +4249,8 @@ QDF_STATUS csr_roam_call_callback(tpAniSirGlobal pMac, uint32_t sessionId,
 		 * failure, decrement bRefAssocStartCnt.
 		 */
 		pSession->bRefAssocStartCnt--;
-	} else if (u1 == eCSR_ROAM_SET_CHANNEL_RSP && u2 ==
-				eCSR_ROAM_RESULT_CHANNEL_CHANGE_SUCCESS) {
+	} else if (roam_info && (u1 == eCSR_ROAM_SET_CHANNEL_RSP)
+		   && (u2 == eCSR_ROAM_RESULT_CHANNEL_CHANGE_SUCCESS)) {
 		pSession->connectedProfile.operationChannel =
 			roam_info->channelChangeRespEvent->newChannelNumber;
 	} else if ((u1 == eCSR_ROAM_SESSION_OPENED) &&