HE caps and HE op IE are derived in driver and also sent from
hostapd as part of additional IE. additional IEs are appended at
end of the beacon frame hence the duplicate IEs are observed.
Strip out the HE caps and HE op IE from additional IE after the
IEs are derived in driver.
Change-Id: Ia11b16ef8e7d376e5c1ef44d54e1cd1885f5b842
CRs-Fixed: 2159867
During disconnection process, cache disconnecting STA information
so that the same information is updated to upper-layer on receiving
GET_STATION vendor command, after disconnection.
Change-Id: I2e5a0be42d81b86e6f4490de1bdf9d7e0797506d
CRs-Fixed: 2126182
When invoke pe_enable/pe_disable,scheduler is running.
There will be two threads operate lim resource at same time.
Most of lim resource should be initialized/freed in pe_open/close
to avoid race condition.
So:
- Move lim_cleanup to pe_close.
- Move lim_initialize to pe_open.
- lim_start,__lim_init_config,lim_register_hal_ind_call_back
stay on pe_start
- lim_cleanup_mlm stay on pe_stop
Change-Id: Ib647174ee9e1cf82567223abca233cb0332f1ffb
CRs-Fixed: 2154978
Free deauth req msg, if no ack has been received from fw, in
pe_close() during interface down to avoid mem leak.
Change-Id: I49508b2681f708dc56fc3938162ff856babfb0aa
CRs-Fixed: 2158490
If connect timers like join, auth and assoc timeout are running and
timer are stopped in deactivate lim timers, the connect cmd get stuck
in sme active cmd queue, if no probe resp, auth or assoc resp is
received respectively from AP.
Thus during deactivate lim timers call the timeout API for the
connect timeouts so that connect command fails and is removed from
sme active cmd queue.
Change-Id: I1ddd23ad94fb4b616b9a7868316f05577d6524b3
CRs-Fixed: 2164061
mlm_set_keys_req may leak if return in some fail case or
there is no WMA_SET_STAKEY_RSP.
Change-Id: Ib89709a6656cfcff18341257e116861774489c8c
CRs-Fixed: 2166374
Check the channel width value in CSA IE before we process the
channel switch so that if the AP sends the wrong channel width in
CSA driver can process with correct configuration
Change-Id: Ib14a0146502b0f731f319ac1fe6657a389388cec
CRs-Fixed: 2162235
Add sanity check for rxNss value in lim_set_nss_change()
as rxNss cannot be zero.
Change-Id: Ie8043d41413a26469539a1f370ff4bca09870b61
CRs-Fixed: 2157501
This reverts commit 7cf307e148
as the check to drop auth frame if previous sequence number
and auth algo match with current sequence number and auth
algo returns true instead of false in a correct scenario.
Change-Id: I8dee272f535acaadb9dfff69ee9ce68ddea4eec1
CRs-Fixed: 2166125
Currently host driver is dumping all the connection related
info for FILS connection.
Add changes to remove excessive logging for FILS connection
Change-Id: Ib23a90672413e00c06ae61f01fbbb0fb51edda56
CRs-Fixed: 2077465
DUT retries auth with open system if shared key
authentication is not supported by AP. If auth
response from AP for open system auth has same
sequence number as that of shared key response,
host drops the frame.
Fix is to drop the auth frame only if previous
sequence number and auth algo match with current
sequence number and auth algo.
Change-Id: Ia02408d72371dfb91a7cae190ae9399cdf2e2e8b
CRs-Fixed: 2163231
In function lim_send_probe_rsp_template_to_hal, memset is done for the
allocated packet for length nBytes which is calculated as size of payload +
MAC header + addn_ielen.
However, the buffer used psessionEntry->pSchProbeRspTemplate is allocated
for length 512 (SCH_MAX_PROBE_RESP_SIZE) only as part of create session.
This leads to a potential overflow of the memory if nBytes calculated is
greater than 512 leading to kernel panic while freeing the memory in
delete session.
Add sanity check to make sure we do not exceed the SCH_MAX_PROBE_RESP_SIZE
before doing a memset on the buffer.
Change-Id: I4657d34a429b1f0c11ac8ca24869727c222669b8
CRs-Fixed: 2160086
In function lim_parse_kde_elements, while parsing the KDE list from
the assoc response frame, elem_len is obtained from the frame buffer.
elem_len is then used to find the matching OUI for KDE OUI type and
then to calculate data_len based on the offset for the GTK/IGTK data
types.
If the value in elem_len field in the frame is less than the Data
Offset (which includes the OUI and data type) or the GTK/IGTK offset
then a OOB read would occur.
Add checks to validate the elem_len with Data offset and then with
the GTK/IGTK offset based on the data type.
Change-Id: I8ae31c6d6c28e88ad9bda757b3f1ff2585f8a553
CRs-Fixed: 2161920
Check hdd_ctx, adapter and sta_ctx against null before dereferencing
them in wlan_hdd_nan_datapath.c
Change-Id: Ie81a359be4f03f4f7e411b56d583c12fa3bb03c0
CRs-Fixed: 2162244
Add changes identify and forward GAS public action frames to
supplicant in lim_process_action_frame_no_session.
Change-Id: Id872e2b0b8b7a203b472e0bd152f25f63c873b4f
CRs-Fixed: 2161785
FILS indication IE minimum length should be 4 bytes (2 bytes for tag and
length) + (2 bytes for realm hash). However current mininum is set to
5 bytes.
Usually AP sends cache identifier also in the FILS indication IE, which
is optional and causes the ie length to be greater than min of 5.
If the AP does not send Cache Identifier and sends only realm hash,
the IE length would be 4, which causes the IE to be skipped in parsing
thereby failing FILS connection.
Fix min IE length to 4 bytes in the frame parser for FILS Indication IE
Change-Id: I07f2b724f5840f9ba8ec663e0b303d8fc86663da
CRs-Fixed: 2161241
Add the WiderBWChanSwitchAnn to ext_chan_switch_ann action frame
as optional IE. Currently WiderBWChanSwitchAnn is added only in
beacon frames.
Change-Id: I4f76479bdb2befa93fcb83238590007a555af210
CRs-Fixed: 2141529
Do not drop operating mode action frame if channel bonding is disabled.
Process NSS change if requested by frame.
Change-Id: Id342c5399a70be8ea1b3d6c9878983a75ca456ad
CRs-Fixed: 2157167
1\ Register the lim_process_rx_scan_handler with api
ucfg_scan_register_requester;
2\ Redefine function lim_send_preauth_scan_offload
to use api ucfg_scan_start;
Change-Id: I43a0b28c3abcce907575717dc3a4bfb190a32ec2
CRs-Fixed: 2144630
qcacld-2.0 to qcacld-3.0 propagation
The return value validation is missing for dot11fUnpackIeRSN, thus
"dot11f_ie_rsn.pmkid_count" could be larger than 4. When it is larger
than 4 there will be a buffer over-read in vos_mem_compare. Add status
check of dot11fUnpackIeRSN in lim_process_fils_auth_frame2.
Change-Id: If563ddb13bbfcad5660d136c35c39846010594e1
CRs-Fixed: 2147955
sme_stop and mac_stop are accessing share data structures which
create a race condition when it is called from rmmod context.
Change context of sme_stop and mac_stop from rmmod thread to
mc thread.
Change-Id: Ie30f99d6b0c2f7c6cf20371dd66323d156360474
CRs-Fixed: 2148771
In function get_container_ies_len, nBuf is passed from caller function
as length of the buffer remaining in the frame. len is calculated from
the length field present in the IE. Then find_ie_defn is called with
nBuf + len as buffer length available leading to potential OOB read
in the function find_ie_defn.
Also in function get_container_ies_len, if len is greater than nBuf,
OOB read would occur in the caller function unpack_core.
In function unpack_core, len is calculated from the length field in
the IE buffer, then the IE is parsed in one of the unpack functions
where len is decremented without any check for min value of len.
If the value of len obtained from the IE buffer is less than the
minSize of the IE, then an integer underflow would occur.
1. In function get_container_ies_len, change calling of find_ie_defn
to use nbuf - len.
2. In function get_container_ies_len, if len > nbuf, return error.
3. In function unpack_core, add sanity check to make sure len is not
less thatn IE's minSize.
Change-Id: I8e42fb7e9674845d152d2ec26a592e02a1b562ab
CRs-Fixed: 2153003
Avoid bit addressing for HE Caps and HE Ops, and use structures
to access fields within HE Caps and HE Ops.
Change-Id: I1afa1926d1f4c7da5446870a7ad3121c06762f98
CRs-Fixed: 2145511
TDLS peer delete function is not validating the return
status from PE, and it causes unpredictable errors.
Verify the return status and take the corresponding
action for the error cases.
Change-Id: I55c77842560917ca766fbfcbf26762d745a1d5e5
CRs-Fixed: 2144268
Add debugs to dump all the Vendor IEs of tag type 221 to identify
the IEs sent in the AP's beacons/probe response without need to sniffer.
Change-Id: I1896adc12b49a54e4cf39794e802c04f7ad22080
CRs-Fixed: 2156913
Change the existing cdp_peer_find_by_addr by calls to
cdp_peer_get_ref_by_addr and cdp_peer_release_ref. The new APIs
make sure that the peer is valid as long as the peer reference is not
released (call to cdp_peer_release_ref)
Change-Id: Ibde9944a9721e5dcf0f7838058c229539efae7e4
CRs-Fixed: 2139801
Memory leak is detected while processing the
measurement report request while another request
is under processing.
Pass an address of the pointer to the rrm beacon
request API to get the allocated memory address.
Change-Id: I83c44a6a7a4a8e1ce56e48b008e7d784cca1dc6d
CRs-Fixed: 2144031
If mac_ctx->roam.configParam.qcn_ie_support is enabled driver adds
qcn ie in directed probe req, even if its already present in the
additional scan IEs. Thus in probe request two qcn ie are present.
To fix this add qcn ie only if roam.configParam.qcn_ie_support is set
and qcn ie is not present in the additional scan IE.
Change-Id: I4c7ea32dc06e5c62b4043dbd3794348f8185fd9b
CRs-Fixed: 2152795
Avoid using WMI HE Ops macro in lim and use dot11f struct for
HE Ops instead. Keep the tranlation to FW interpratation of
HE Ops in wma layer only.
Change-Id: Ie94795541aaddb7ae291ff451b938ebb96f74dbf
CRs-Fixed: 2145510
If roaming is happening and then a set key response is
generated from WMA to PE, then there is a possibility
of not finding the PE session as the roaming happened
and new session is established. In such cases, return
failure from PE to SME so that the set key command is
released and the command queue is not stuck
Change-Id: Ieba8ea76a2a53322f2e392e6b0bf30360b1e8f8a
CRs-Fixed: 2150731
Fix implicit conversion from enumeration type 'tSirRFBand'
to different enumeration type 'eCsrBand'
Currently 3 different types of enums exist to enumerate the
band type.Remove eCsrBand and tSirRfBand and
use tSirRFBand everywhere.
Change-Id: I1862c6d3a5daca7523870b7f0931ee4f20c7ce4f
CRs-Fixed: 2145080
Fix implicit conversion from enumeration type
'enum eSirMacStatusCodes' to different enumeration type
'tSirResultCodes' in function __lim_process_sme_assoc_cnf_new().
Change-Id: I1179014e3a190427f6bbfcbc62a3b82f0b187a0f
CRs-Fixed: 2145080
In function lim_parse_kde_elements, elem_len is obtained from the
assoc response IE buffer and is used to decrement rem_len in the
while loop. If the value of elem_len is greater than rem_len, an
integer underflow would happen to rem_len leading to buffer overread.
Also, if elem_len is greater than kde_list_len, a buffer overread
would occur when incrementing the temp_ie pointer.
Add sanity check to make sure elem_len is not greater than
kde_list_len or rem_len.
Change-Id: If126bb0e14b57f3594679b91d54cc0f1ffaa6f66
CRs-Fixed: 2152946
When dual band mode for SAP is enabled from UI, the packet
for 2G SAP will be dropped before dfs cac finishes.
Adjust channel check to avoid pkt drop in lim_handle80211_frames.
1 non-sbs mode, bypass 2g channel packet
2 sbs mode, bypass non dfs channel packet
Change-Id: Ib292fa3d6366fd7ea045480f61ce1890ac8c320a
CRs-Fixed: 2132883
DPH hash table is allocated for each session of depth equal to
max possible peers. This memory chunk goes upto 33KB in size and
may fail. Instead allocate the memory from BSS segment so that
run-time allocation is not needed.
Change-Id: I56d6adb7934faef1940ab8515fed30646f536ab2
CRs-fixed: 2149563
In function dot11f_get_packed_iersn, RSN_Cap is member of the structure
sDot11fIERSN and cannot be NULL.
Remove the NULL check for RSN_Cap in dot11f_get_packed_iersn
to fix Clang errors.
Change-Id: If334c66e6b84d9776b0f1f5c1e1969125d490f2f
CRs-Fixed: 2150438
