In the function lim_chk_n_process_wpa_rsn_ie, if wpa IE is
present, then dot11f_unpack_ie_wpa is called to copy the wpa IE
to destination buffer. assoc_req->wpa.length is passed as the
length to copy the IE. As this length includes 4 bytes of the
OUI fields also, this could result in OOB read.
Change the length passed to the dot11f_unpack_ie_wpa as
(assoc_req->wpa.length - 4), so that the additional 4 bytes of
the OUI fields are excluded.
Change-Id: If972b3a19d239bb955c7b4d4c7d94e25aa878f21
CRs-Fixed: 2267557
Fix using uninitialized variable status inside the function
populate_dot11f_twt_extended_caps
Change-Id: Ic80df2f6c5310414da4179f00867c0fe029b09c7
CRs-Fixed: 2277833
When beacon is updated the host pass the gSchBeaconFrameBegin
param to WMA to copy the beacon to WMI and pass the value to
firmware. gSchBeaconFrameBegin is global so if we receive new
beacon update in LIM before the WMA process the old beacon
update the values in the global gSchBeaconFrameBegin are
updated as per new beacon. So if there is change in beacon
length the first WMA msg copy the wrong beacon data and send
this corrupt date to firmware.
To fix this instead of passing the global gSchBeaconFrameBegin
fill the beacon date in the beacon update req itself.
Change-Id: I6d196784470d9a2aeeaba76e12577f9f65012bac
CRs-Fixed: 2272448
Add support to configure HE trigger frame MAC padding and disable
the MU EDCA param update when user configures the padding.
Change-Id: Ief928c5421366b03ee6e1d6253963b10fd3b87b6
CRs-Fixed: 2265331
Add support to configure the HE MU EDCA params with default
values and update the params to FW.
Change-Id: Ia7485949c040cb8f83ccfe1f8336267051dbfd13
CRs-Fixed: 2262874
We are transitioning the usage of set antenna mode event
to request manager framework.
Change-Id: I4df39c9b71ccd5680f85d1662bec06bc90f70977
CRs-Fixed: 2274929
As part of nss update request, operating mode is updated
in beacon template. OMN IE can also present in additional
IEs which will result in OMN IE included twice in beacon.
Fix is to strip OMN IE from additional IEs if beacon
template is updated as part of nss update request.
Change-Id: Ic0cd6b76738e16eb73de7a7ba406cd727c2f8dc4
CRs-Fixed: 2274027
In wma_unified_link_iface_stats_event_handler, FW stats is cast into
some host data structure via memory copy. It could be dangerous since
there could be some mismatch between host and FW data structures.
Update it with field-by-field assignment.
Change-Id: If90c6062551c8769d948b3267dfa323fba310a78
CRs-Fixed: 2274034
In the function sir_convert_addts_rsp2_struct, iterator j is
assigned with the value pAddTs->numTclas + addts.num_WMMTCLAS.
The j value is used as the index to the array pAddTs->tclasInfo.
Maximum limit on pAddTs->tclasInfo entries is 2. So when the
value of j exceeds 2, then a possible buffer overflow could
occur.
Validate the value of j against SIR_MAC_TCLASIE_MAXNUM(2).
Change-Id: Icc723380ed4ccd51c729194d509e288be0e0712c
CRs-Fixed: 2264429
The driver checks the MAX Supported rates and if found
greater than MAX_RATES (12 in case of 11b/g), the driver
returns failure in populate peer rates, and sends all
rates as zero to FW in peer-assoc.
This reverts commit I75d5f5b5e7d44665101dae6e095b4adadc1781fb
Change-Id: I85d696d3de89ce4f581de7d81542603407a68e87
CRs-Fixed: 2277588
