qcacld-3.0: Avoid NULL pointer dereferenced

Pointer 'pre_cac_adapter' returned from call to function 'hdd_get_adapter_by_iface_name' may be NULL and may be dereferenced. Array '&param_val' of size 4 may use index value(s) large than 4. Change-Id: Ic66628f79a6118bc5ab4d6571f341b80e18c689b CRs-Fixed: 3559886
2023-07-13 03:47:13 -07:00 · 2023-07-13 03:47:13 -07:00 · 05133482ca
commit 05133482ca
parent 8d6557a26d
2 changed files with 41 additions and 38 deletions
--- a/core/hdd/src/wlan_hdd_pre_cac.c
+++ b/core/hdd/src/wlan_hdd_pre_cac.c
@ -234,11 +234,16 @@ static int __wlan_hdd_request_pre_cac(struct hdd_context *hdd_ctx,

 	pre_cac_adapter = hdd_get_adapter_by_iface_name(hdd_ctx,
 							SAP_PRE_CAC_IFNAME);
-	if (!pre_cac_adapter &&
-	    (policy_mgr_get_connection_count(hdd_ctx->psoc) > 1)) {
+	if (!pre_cac_adapter) {
+		hdd_err("error opening the pre cac adapter");
+		return -EINVAL;
+	}
+
+	if (policy_mgr_get_connection_count(hdd_ctx->psoc) > 1) {
 		hdd_err("pre cac not allowed in concurrency");
 		return -EINVAL;
 	}
+
 	pre_cac_link_info = pre_cac_adapter->deflink;

 	ap_adapter = hdd_get_adapter(hdd_ctx, QDF_SAP_MODE);
@ -281,42 +286,40 @@ static int __wlan_hdd_request_pre_cac(struct hdd_context *hdd_ctx,

 	hdd_debug("starting pre cac SAP  adapter");

+	mac_addr = wlan_hdd_get_intf_addr(hdd_ctx, QDF_SAP_MODE);
+	if (!mac_addr) {
+		hdd_err("can't add virtual intf: Not getting valid mac addr");
+		return -EINVAL;
+	}
+
+	/**
+	 * Starting a SAP adapter:
+	 * Instead of opening an adapter, we could just do a SME open
+	 * session for AP type. But, start BSS would still need an
+	 * adapter. So, this option is not taken.
+	 *
+	 * hdd open adapter is going to register this precac interface
+	 * with user space. This interface though exposed to user space
+	 * will be in DOWN state. Consideration was done to avoid this
+	 * registration to the user space. But, as part of SAP
+	 * operations multiple events are sent to user space. Some of
+	 * these events received from unregistered interface was
+	 * causing crashes. So, retaining the registration.
+	 *
+	 * So, this interface would remain registered and will remain
+	 * in DOWN state for the CAC duration. We will add notes in the
+	 * feature announcement to not use this temporary interface for
+	 * any activity from user space.
+	 */
+	params.is_add_virtual_iface = 1;
+	pre_cac_adapter = hdd_open_adapter(hdd_ctx, QDF_SAP_MODE,
+					   SAP_PRE_CAC_IFNAME, mac_addr,
+					   NET_NAME_UNKNOWN, true,
+					   &params);
+
 	if (!pre_cac_adapter) {
-		mac_addr = wlan_hdd_get_intf_addr(hdd_ctx, QDF_SAP_MODE);
-		if (!mac_addr) {
-			hdd_err("can't add virtual intf: Not getting valid mac addr");
-			return -EINVAL;
-		}
-
-		/**
-		 * Starting a SAP adapter:
-		 * Instead of opening an adapter, we could just do a SME open
-		 * session for AP type. But, start BSS would still need an
-		 * adapter. So, this option is not taken.
-		 *
-		 * hdd open adapter is going to register this precac interface
-		 * with user space. This interface though exposed to user space
-		 * will be in DOWN state. Consideration was done to avoid this
-		 * registration to the user space. But, as part of SAP
-		 * operations multiple events are sent to user space. Some of
-		 * these events received from unregistered interface was
-		 * causing crashes. So, retaining the registration.
-		 *
-		 * So, this interface would remain registered and will remain
-		 * in DOWN state for the CAC duration. We will add notes in the
-		 * feature announcement to not use this temporary interface for
-		 * any activity from user space.
-		 */
-		params.is_add_virtual_iface = 1;
-		pre_cac_adapter = hdd_open_adapter(hdd_ctx, QDF_SAP_MODE,
-						   SAP_PRE_CAC_IFNAME, mac_addr,
-						   NET_NAME_UNKNOWN, true,
-						   &params);
-
-		if (!pre_cac_adapter) {
-			hdd_err("error opening the pre cac adapter");
-			goto release_intf_addr_and_return_failure;
-		}
+		hdd_err("error opening the pre cac adapter");
+		goto release_intf_addr_and_return_failure;
 	}

 	pre_cac_ap_ctx = WLAN_HDD_GET_AP_CTX_PTR(pre_cac_link_info);
--- a/core/sme/src/common/sme_api.c
+++ b/core/sme/src/common/sme_api.c
@ -11068,7 +11068,7 @@ int sme_send_he_om_ctrl_update(mac_handle_t mac_handle, uint8_t session_id,
 	sme_debug("EHT OMI: BW %d rx nss %d tx nss %d", omi_data->eht_ch_bw_ext,
 		  omi_data->eht_rx_nss_ext, omi_data->eht_tx_nss_ext);

-	qdf_mem_copy(&param_val, omi_data, sizeof(omi_data));
+	qdf_mem_copy(&param_val, omi_data, sizeof(param_val));
 	wlan_mlme_get_bssid_vdev_id(mac_ctx->pdev, session_id,
 				    &connected_bssid);
 	sme_debug("param val %08X, bssid:"QDF_MAC_ADDR_FMT, param_val,