From fcc2488d253b9f0f32c82de6bec9e4b30805db5b Mon Sep 17 00:00:00 2001
From: jitiphil <jitiphil@codeaurora.org>
Date: Fri, 11 May 2018 16:14:38 +0530
Subject: [PATCH] qcacmn: NULL pointer dereference in free_htc_bundle_packet()

Inside free_htc_bundle_packet() if the HTC packet queue
associated with a packet is NULL, a NULL pointer dereference
can occur.

Add check to verify that HTC packet queue is not NULL before
dereferencing.

Change-Id: I1965a66de74b8954fdc59733e5ef86120f4f8898
Crs-Fixed: 2232839
---
 htc/htc_send.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/htc/htc_send.c b/htc/htc_send.c
index d9a769f3e1..baaed14dba 100644
--- a/htc/htc_send.c
+++ b/htc/htc_send.c
@@ -230,9 +230,13 @@ void free_htc_bundle_packet(HTC_TARGET *target, HTC_PACKET *pPacket)
 
 	/* restore queue */
 	pQueueSave = (HTC_PACKET_QUEUE *) pPacket->pContext;
-	AR_DEBUG_ASSERT(pQueueSave);
-
-	INIT_HTC_PACKET_QUEUE(pQueueSave);
+	if (qdf_unlikely(!pQueueSave)) {
+		AR_DEBUG_PRINTF(ATH_DEBUG_ERR,
+				("\n%s: Invalid pQueueSave in HTC Packet\n",
+				__func__));
+		AR_DEBUG_ASSERT(pQueueSave);
+	} else
+		INIT_HTC_PACKET_QUEUE(pQueueSave);
 
 	LOCK_HTC_TX(target);
 	if (target->pBundleFreeList == NULL) {