Commit 6ef2dfa1 authored Nov 28, 2018 by Pragaspathi Thilagaraj

qcacmn: Fix null pointer dereference in extract_sar_limit_event_tlv

When WMI_SAR_GET_LIMITS_EVENTID is received from firmware, the
function extract_sar_limit_event_tlv is called to update the SAR
limits for all the chains of each band. There is a for loop
defined to loop over each item in param_buf->sar_get_limits.
Since the param_buf->sar_get_limits could be either optionally
defined or not a part of the message at all there is a potential
NULL pointer dereference if sar_get_limits is not sent as part
of the WMI_SAR_GET_LIMITS_EVENTID event.

param_buf->sar_get_limits needs to be checked for NULL prior to
derefencing it.

Change-Id: I93c07fa8048df97c6f6960b0db6df3bbc30e23b4
CRs-Fixed: 2336928

parent 403164d9

wmi/src/wmi_unified_tlv.c

+12 −8

Original line number	Diff line number	Diff line
		@@ -4224,6 +4224,7 @@ static QDF_STATUS extract_sar_limit_event_tlv(wmi_unified_t wmi_handle,
		}

		row_in = param_buf->sar_get_limits;
		if (row_in) {
		row_out = &event->sar_limit_row[0];
		for (row = 0; row < event->num_limit_rows; row++) {
		row_out->band_id = row_in->band_id;
		@@ -4233,6 +4234,9 @@ static QDF_STATUS extract_sar_limit_event_tlv(wmi_unified_t wmi_handle,
		row_out++;
		row_in++;
		}
		} else {
		WMI_LOGD("sar_get_limits is NULL");
		}

		return QDF_STATUS_SUCCESS;
		}