qcacld-3.0: Validate pHashTable

qcacld-2.0 to qcacld-3.0 propagation

When deauth/disassoc is received from peer at the same time when
cleanup in progress because of disconnect from supplicant, there
is a chance that pHashTable can be NULL. Memory pointed by
pHashTable is freed during peDeleteSession, which is called during
cleanup. In dphLookupHashEntry, pHashTable is referenced without
any NULL check, which can lead to crash. Fix this by validating
pHashTable for NULL check.

Add a NULL check in _limProcessOperatingModeActionFrame before
referencing sta context to resolve potential KW issue.

Change-Id: I74d5c739cade19941320ee02eddc09e4fc74b105
CRs-Fixed: 898375
(cherry picked from commit b303090fde8d3a14dbf6f9c80d635e27718a583d)

core/mac/src/dph/dph_hash_table.c

@@ -133,6 +133,11 @@ tpDphHashNode dph_lookup_hash_entry(tpAniSirGlobal pMac, uint8_t staAddr[],
 	tpDphHashNode ptr = NULL;
 	uint16_t index = hash_function(pMac, staAddr, pDphHashTable->size);
 
+	if (!pDphHashTable->pHashTable) {
+		lim_log(pMac, LOGE, FL("pHashTable is NULL"));
+		return ptr;
+	}
+
 	for (ptr = pDphHashTable->pHashTable[index]; ptr; ptr = ptr->next) {
 		if (dph_compare_mac_addr(staAddr, ptr->staAddr)) {
 			*pAssocId = ptr->assocId;

core/mac/src/pe/lim/lim_process_action_frame.c

@@ -504,6 +504,12 @@ static void __lim_process_operating_mode_action_frame(tpAniSirGlobal mac_ctx,
 	}
 	sta_ptr = dph_lookup_hash_entry(mac_ctx, mac_hdr->sa, &aid,
 			&session->dph.dphHashTable);
+
+	if (sta_ptr == NULL) {
+		lim_log(mac_ctx, LOGE, FL("Station context not found"));
+		goto end;
+	}
+
 	if (sta_ptr->htSupportedChannelWidthSet) {
 		if (WNI_CFG_VHT_CHANNEL_WIDTH_80MHZ <
 				sta_ptr->vhtSupportedChannelWidthSet)
@@ -574,6 +580,8 @@ static void __lim_process_operating_mode_action_frame(tpAniSirGlobal mac_ctx,
 		lim_set_nss_change(mac_ctx, session, sta_ptr->vhtSupportedRxNss,
 			sta_ptr->staIndex, mac_hdr->sa);
 	}
+
+end:
 	qdf_mem_free(operating_mode_frm);
 	return;
 }