samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacmn: Fix null pointer dereferenc in __htc_send_pkt

Browse Source 
In __htc_send_pkt, pointer is checked against null but then
dereferenced later.
Fix it by checking null before dereference it.

Change-Id: I8a0dcfccbe458f5b85b8c930eb9685a75b64829b
CRs-Fixed: 2232835
This commit is contained in:
Yun Park
2018-06-05 11:58:30 -07:00
committed by nshrivas
parent 0cb3198ecb
commit c353d6b87c
1 changed files with 10 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
htc/htc_send.c
View File

@@ -1358,7 +1358,7 @@ static inline QDF_STATUS __htc_send_pkt(HTC_HANDLE HTCHandle,
HTC_ENDPOINT *pEndpoint; HTC_ENDPOINT *pEndpoint;
HTC_PACKET_QUEUE pPktQueue; HTC_PACKET_QUEUE pPktQueue;
qdf_nbuf_t netbuf; qdf_nbuf_t netbuf;
HTC_FRAME_HDR *pHtcHdr; HTC_FRAME_HDR *htc_hdr;
QDF_STATUS status; QDF_STATUS status;
AR_DEBUG_PRINTF(ATH_DEBUG_SEND, AR_DEBUG_PRINTF(ATH_DEBUG_SEND,
@@ -1397,12 +1397,17 @@ static inline QDF_STATUS __htc_send_pkt(HTC_HANDLE HTCHandle,
/* provide room in each packet's netbuf for the HTC frame header */ /* provide room in each packet's netbuf for the HTC frame header */
netbuf = GET_HTC_PACKET_NET_BUF_CONTEXT(pPacket); netbuf = GET_HTC_PACKET_NET_BUF_CONTEXT(pPacket);
AR_DEBUG_ASSERT(netbuf); AR_DEBUG_ASSERT(netbuf);
if (!netbuf)
return QDF_STATUS_E_INVAL;
qdf_nbuf_push_head(netbuf, sizeof(HTC_FRAME_HDR)); qdf_nbuf_push_head(netbuf, sizeof(HTC_FRAME_HDR));
/* setup HTC frame header */ /* setup HTC frame header */
pHtcHdr = (HTC_FRAME_HDR *) qdf_nbuf_get_frag_vaddr(netbuf, 0); htc_hdr = (HTC_FRAME_HDR *)qdf_nbuf_get_frag_vaddr(netbuf, 0);
AR_DEBUG_ASSERT(pHtcHdr); AR_DEBUG_ASSERT(htc_hdr);
HTC_WRITE32(pHtcHdr, if (!htc_hdr)
return QDF_STATUS_E_INVAL;
HTC_WRITE32(htc_hdr,
SM(pPacket->ActualLength, SM(pPacket->ActualLength,
HTC_FRAME_HDR_PAYLOADLEN) | HTC_FRAME_HDR_PAYLOADLEN) |
SM(pPacket->Endpoint, SM(pPacket->Endpoint,
@@ -1412,7 +1417,7 @@ static inline QDF_STATUS __htc_send_pkt(HTC_HANDLE HTCHandle,
pPacket->PktInfo.AsTx.SeqNo = pEndpoint->SeqNo; pPacket->PktInfo.AsTx.SeqNo = pEndpoint->SeqNo;
pEndpoint->SeqNo++; pEndpoint->SeqNo++;
HTC_WRITE32(((uint32_t *) pHtcHdr) + 1, HTC_WRITE32(((uint32_t *)htc_hdr) + 1,
SM(pPacket->PktInfo.AsTx.SeqNo, SM(pPacket->PktInfo.AsTx.SeqNo,
HTC_FRAME_HDR_CONTROLBYTES1)); HTC_FRAME_HDR_CONTROLBYTES1));