mpdu_bytes_array_len, mpdu_msdus_array_len, and msdu_bytes_array_len
are used to calculate the record size, as well as used as
buffer offset, without any verification. This can cause to multiple
overflows and underflow leading to OOB reads.
Add checks for each arithmetic operation with these variables.
Change-Id: Ib6ec6ac6932eb8c541bc2357d45d3feaf39fdb7d
CRs-Fixed: 2226125
The driver verifies the replay_attack in protected
management frames in the API wma_is_ccmp_pn_replay_attack
The API expects a CCMP header pointer, but it may happen that
the size of the total frame is less than the size of ieee frame
+ the CCMP header length. In that case the CCMP pointer will
point to some memory location not allocated to the frame, which
will result to out of bound access.
Fix is to add a length check to memory allocated to wbuf in
wma_process_rmf_frame
Change-Id: I351fa671cb8728843c8843c27dd91bcb201abb42
CRs-Fixed: 2230976
This commit fix the VTS test failures when running the following
deprecated commands in SupplicantStaIfaceHidlTest
RXFILTER-START
RXFILTER-STOP
BTCOEXSCAN-START
BTCOEXSCAN-STOP
Change-Id: I45fa09c24700e6872de7709c6875dbdbd8aa10cc
CRs-Fixed: 2226343
In the earlier generation of product or qcacld-3.0 code,
the wow related logs which helps debug which is the packet
waking up the APPS used to appear in kmsg and hence part of
the bugreport.
Now in the recent code base, this log is moved to LOGD
which appears in cnss_diag, with this change the ask is
to revive the same logs to appear in kmsg instead of
cnss_diag logs.
Hence move these from Debug to Info. INFO logs appear in kmsg.
Change-Id: Iefcd362209f3f2276d0c2ac53359e0f325122f95
CRs-Fixed: 2225547
Framework shall trigger disconnect for many reasons,
one of them is NUD failure. The motive to print tx queue
state whenever disconnect is triggered from the userspace
is to see the state of the tx queue at the time of disconnect.
Change-Id: I73f6359f6823de4781ed94b1d4f19c4a0a198879
CRs-Fixed: 2225547
Address the following issue in the core/pld folder:
CHECK: 'bandwith' may be misspelled - perhaps 'bandwidth'?
Change-Id: Ic397c156ff7ba32cec590083098474af16569ea7
CRs-Fixed: 2241943
Address the following issues in the core/mac folder:
CHECK: 'absense' may be misspelled - perhaps 'absence'?
CHECK: 'accquired' may be misspelled - perhaps 'acquired'?
CHECK: 'acknowledgement' may be misspelled - perhaps 'acknowledgment'?
CHECK: 'arbitary' may be misspelled - perhaps 'arbitrary'?
CHECK: 'automaticly' may be misspelled - perhaps 'automatically'?
CHECK: 'calulate' may be misspelled - perhaps 'calculate'?
CHECK: 'couter' may be misspelled - perhaps 'counter'?
CHECK: 'defferred' may be misspelled - perhaps 'deferred'?
CHECK: 'Defintions' may be misspelled - perhaps 'Definitions'?
CHECK: 'dependant' may be misspelled - perhaps 'dependent'?
CHECK: 'dosen' may be misspelled - perhaps 'doesn'?
CHECK: 'endianess' may be misspelled - perhaps 'endianness'?
CHECK: 'explicitely' may be misspelled - perhaps 'explicitly'?
CHECK: 'fimware' may be misspelled - perhaps 'firmware'?
CHECK: 'fucntion' may be misspelled - perhaps 'function'?
CHECK: 'Funtion' may be misspelled - perhaps 'Function'?
CHECK: 'immediatly' may be misspelled - perhaps 'immediately'?
CHECK: 'implemetation' may be misspelled - perhaps 'implementation'?
CHECK: 'Intialize' may be misspelled - perhaps 'Initialize'?
CHECK: 'lengh' may be misspelled - perhaps 'length'?
CHECK: 'managment' may be misspelled - perhaps 'management'?
CHECK: 'Managment' may be misspelled - perhaps 'Management'?
CHECK: 'messsages' may be misspelled - perhaps 'messages'?
CHECK: 'Notifed' may be misspelled - perhaps 'Notified'?
CHECK: 'parametes' may be misspelled - perhaps 'parameters'?
CHECK: 'Paramters' may be misspelled - perhaps 'Parameters'?
CHECK: 'processsing' may be misspelled - perhaps 'processing'?
CHECK: 'receving' may be misspelled - perhaps 'receiving'?
CHECK: 'Recieved' may be misspelled - perhaps 'Received'?
CHECK: 'reponse' may be misspelled - perhaps 'response'?
CHECK: 'reseting' may be misspelled - perhaps 'resetting'?
Change-Id: Id58b5bf38fe88007c88cbda62a1fc43c0f1b3a37
CRs-Fixed: 2241942
Address the following issues in the core/dp folder:
CHECK: 'accomodate' may be misspelled - perhaps 'accommodate'?
CHECK: 'acess' may be misspelled - perhaps 'access'?
CHECK: 'bahavior' may be misspelled - perhaps 'behavior'?
CHECK: 'catagory' may be misspelled - perhaps 'category'?
CHECK: 'continous' may be misspelled - perhaps 'continuous'?
CHECK: 'controler' may be misspelled - perhaps 'controller'?
CHECK: 'curently' may be misspelled - perhaps 'currently'?
CHECK: 'defintion' may be misspelled - perhaps 'definition'?
CHECK: 'Defintions' may be misspelled - perhaps 'Definitions'?
CHECK: 'desriptor' may be misspelled - perhaps 'descriptor'?
CHECK: 'extention' may be misspelled - perhaps 'extension'?
CHECK: 'informations' may be misspelled - perhaps 'information'?
CHECK: 'lenght' may be misspelled - perhaps 'length'?
CHECK: 'managment' may be misspelled - perhaps 'management'?
CHECK: 'messsage' may be misspelled - perhaps 'message'?
CHECK: 'neccessary' may be misspelled - perhaps 'necessary'?
CHECK: 'recieved' may be misspelled - perhaps 'received'?
CHECK: 'Recieve' may be misspelled - perhaps 'Receive'?
Change-Id: Ib8c1b94b5bb3bb5798e41dbb4c1461be80fd1398
CRs-Fixed: 2241941
Address the following issue in the core/cds folder:
CHECK: 'couter' may be misspelled - perhaps 'counter'?
CHECK: 'defintions' may be misspelled - perhaps 'definitions'?
CHECK: 'endianess' may be misspelled - perhaps 'endianness'?
CHECK: 'extention' may be misspelled - perhaps 'extension'?
CHECK: 'independant' may be misspelled - perhaps 'independent'?
CHECK: 'initilize' may be misspelled - perhaps 'initialize'?
CHECK: 'minumum' may be misspelled - perhaps 'minimum'?
CHECK: 'recieve' may be misspelled - perhaps 'receive'?
Change-Id: I8586ee1aa0a2ab59faa064ff534148511e662615
CRs-Fixed: 2241940
Address the following issues in the core/bmi folder:
CHECK: 'Defintions' may be misspelled - perhaps 'Definitions'?
CHECK: 'initilization' may be misspelled - perhaps 'initialization'?
Change-Id: I649b42e30e10e51c2c734d909a8c9ab2811b9421
CRs-Fixed: 2241939
When a peer connected to a SAP session triggers disconnect,
lim_send_sme_disassoc_ntf is called with the reason
eLIM_PEER_ENTITY_DISASSOC. This leads to the PE sesssion for the SAP
being freed as part of the lim_send_disconnect_done_ind added in the
change Iec0176fecf218e07f31b258c0dc52aefb480defe.
Modify the lim_send_disconnect_done_ind API to just prepare the
disconnect done indication message and the calling function
lim_send_sme_disassoc_ntf would send the notification to SME and
free the PE session only if the current session is a STA.
Change-Id: I377f86f10becd467417d4c6409d167020e26fe87
CRs-Fixed: 2241899
When deauth is received from AP, while processing of deauth frame,
WM status change command is queued in SME command pending list with
priority set as true in which DEL_BSS and DEL_STA happens leading to
VDEV_STOP AND VDEV_DOWN correspondingly.
When disconnect is issued from upper layer, ROAM command with reason
eCsrForcedDisassoc gets queued in SME command pending list with priority
set as true which performs DEL_BSS nad DEL_STA and then
eSmeCommandDelStaSession SME command is queued with priority set as false
which performs DEL_SELF_STA.
If disconnect is issued from upper layer and deauth is received from AP at
the same time, it might happen that ROAM SME command and
eSmeCommandDelStaSession SME command gets queued in SME command pending
list but WM status change command gets queued on top of these as priority
is set to true before the former commands can be processed. While
processiing of WM status change command, eWNI_SME_DEAUTH_CNF msg gets
queued in SME message queue which queues WMA_DELETE_BSS_REQ in WMA msg
queue. If WM staus change command is released just after
eWNI_SME_DEAUTH_CNF is posted, it might happen that Roam and
eSmeCommandDelStaSession SME commands from SME command pending list gets
processed first which will queue WMA_DEL_STA_SELF_REQ in WMA msg queue
before eWNI_SME_DEAUTH_CNF gets processed and queue WMA_DELETE_BSS_REQ
in WMA msg queue. This leads to processing of WMA_DEL_STA_SELF_REQ before
WMA_DELETE_BSS_REQ causing assert as this is unexpected behaviour.
Release WM status change command only after eWNI_SME_DISCONNECT_DONE_IND
which happens after WMA_DELETE_BSS_REQ and WMA_DELETE_STA_REQ gets
processed so that ROAM and eSmeCommandDelStaSession SME commands gets to
process only after processing of DEL_BSS and DEL_STA and so
WMA_DEL_STA_SELF_REQ will always be processed after WMA_DELETE_BSS_REQ
avoidong system assert.
Change-Id: Iec0176fecf218e07f31b258c0dc52aefb480defe
CRs-Fixed: 2211622
Add support to set antenna mode for SAP using iwpriv commands
set_txchainmask and set_txchainmask.
Change-Id: Id74d8caf6b2d48b0afbcc3791bd347d6addd2e7d
CRs-Fixed: 2239648
Inside hdd_ndi_create_req_handler(), we need to check if
the operating channel is valid. The current checks do
not ensure the operating channel is checked against all
valid values.
Correct the check condition to validate the operating
channel against all valid values.
Change-Id: I01c035b996ab26779ee005bef437393875fdd95a
CRs-Fixed: 2233118
Currently, "channel_freq" is declared as uint16_t. But
htt_get_channel_freq returns "int" which is assigned to
"channel_freq". So, channel_freq != -1 is always true
regardless of the values of its operands.
Declare "channel_freq" as int and add the check if
channel_freq is positive.
Change-Id: I13ae35c1bee3cdf293227e320ede8d8cd2e968fe
CRs-Fixed: 2233556
Here the case is designed to fall through to the next case. So,
add a /* fallthrough */ comment where the break is expected.
Change-Id: Ide5b530c9b817a269fcee4ece679476930797ae7
CRs-Fixed: 2233186
IPA RM is not used when WDI_UNIFIED_API is defined.
Remove to use wake_lock and rm_lock, which are created from RM setup.
Change-Id: I6c614fde7d6d7f0ab94aa9933578f3dca814a40e
CRs-Fixed: 2231424
Currently tid is extracted from HTT message and it is used without
check. This may cause possible OOB array read. To address this add
check for valid tid.
Change-Id: Idb03236e05fe43326f9ab46ae8368adc9a92d92a
CRs-Fixed: 2225497
In the API, the driver inserts 0 after the SSID name, to mark the
end of the ssid, but if the SSID name is 32 characters which is
the max SSID length possible, the driver puts 0 at the 33rd
place of memory which is not the part of the SSID name, which
results in OOB write, or off-by-one write condition.
Fix is to remove the addition of 0 after ssid, as in every
case the driver prints the ssid, taking the ssid length
as the input, and in that case insertion of 0 will not serve
any purpose.
Change-Id: I1d58026ec9f48fe9d00bd2f50783c65899588978
CRs-Fixed: 2232526
Check for nan rsp data len does not take TLV header
size into account which could lead to buffer overflow
when copying data where TLV header size is taken into
account.
Fix is to subtract TLV header size and wmi_nan_event_hdr
size from max allowed size when validating nan rsp data
length.
Change-Id: I341779a33ed218fdda5d008e949ced0c8cf05590
CRs-Fixed: 2227248
In the function lim_process_sme_update_access_policy_vendor_ie,
update_vendor_ie is parsed from the incomming msg. num_bytes is
the length of the IE and is retrived as
update_vendor_ie->ie[1]+2. This num_bytes value is used as the
size to copy the IE to pe_session_entry->access_policy_vendor_ie
The update_vendor_ie->ie[1] can have a maximum value of
SIR_MAC_MAX_IE_LENGTH . As the num_bytes is of uint8_t,a
possible integer overflow can occur in
lim_process_sme_update_access_policy_vendor_ie when num_bytes is
assigned with update_vendor_ie->ie[1].
Change the data type of the num_bytes to uint16_t so that it can
hold the value of update_vendor_ie->ie[1] without truncation.
Change-Id: I05c7e83a741bf1c9c0707be51f97eae9eff1ac97
CRs-Fixed: 2235044
If disconnect command is in SME pending queue, when connect command
is received, the disconnect command is flushed and as SME is
already in connected state the new connect command is handled as
reassoc req and as no preauth was done with this new AP, SME does not
call proper HDD callback to indicate conenct failure. Thus HDD remains
stuck in connecting state leading to scans rejection.
To fix this do not flush disconnect command from SME on receiving
connect cmd and thus clean up the SME before connect is processed.
Change-Id: Icefe8866a24b332688c64d8e69a11642fd7215d9
CRs-Fixed: 2238873
