From f2a04874cfbc8541f6ede34c16333aac4e4671cb Mon Sep 17 00:00:00 2001
From: Pradeep Reddy Potteti <c_ppotte@qti.qualcomm.com>
Date: Fri, 28 Apr 2017 16:22:08 +0530
Subject: [PATCH] MBO: Fix possible NULL pointer dereference on candidate
 handling

If the driver provides input on MBO transition candidate handling, the
target value in get_mbo_transition_candidate() can be NULL if the driver
provided BSSID is not found in the wpa_supplicant BSS table. And later
it would be dereferenced. Fix this by adding an explicit check before
dereferencing the pointer.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---
 wpa_supplicant/wnm_sta.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
index f17a8dc83..7339ed26d 100644
--- a/wpa_supplicant/wnm_sta.c
+++ b/wpa_supplicant/wnm_sta.c
@@ -581,8 +581,9 @@ get_mbo_transition_candidate(struct wpa_supplicant *wpa_s,
 		for (i = 0; i < info->num; i++) {
 			target = wpa_bss_get_bssid(wpa_s,
 						   info->candidates[i].bssid);
-			if (target->level <
-			    wpa_s->conf->disassoc_imminent_rssi_threshold)
+			if (target &&
+			    (target->level <
+			     wpa_s->conf->disassoc_imminent_rssi_threshold))
 				continue;
 			goto end;
 		}