In __lim_handle_sme_stop_bss_request, it will try to disassociate
STAs of which AssocId is from 1 to pMac->lim.gLimAssocStaLimit - 1.
However, valid range of AssocId should be from 1 to
pMac->lim.gLimAssocStaLimit. This will cause STA and peer leakage
when there is an STA using AssocID equal to pMac->lim.gLimAssocStaLimit.
Update the uppper limit to pMac->lim.gLimAssocStaLimit accordingly.
Change-Id: Ifec315c0ae69f8b93ce8b87601cca7cc13c6bc88
CRs-Fixed: 2230757
qcacld-2.0 to qcacld-3.0 propagation
SoftAP is changing channel in response to ECSA frame from STA
Do not let SoftAP switch channel in response to ECSA.
Change-Id: Ie9ddbf10c13f62205fdd60c512a560b35c6610ba
CRs-Fixed: 2121117
Currently SAP beacon callback loops through PE sessions to check
if the beacon's channel matches any active SAP channel and then
invokes sch_beacon_process_for_ap API. In sch_beacon_process_for_ap
we again loop through all the PE sessions to identify the session
where the SAP is active.
Optimize this by looping only once through all PE sessions in
lim_handle_sap_beacon and invoke sch_beacon_process_for_ap with
the SAP session's session_id.
Change-Id: Ia74e17845de161508b6c8efff6aca82cf4d9c961
CRs-Fixed: 2226237
In lim_process_switch_channel_rsp, if pe_find_session_by_session_id
returns NULL, memory of body pointer is not freed leading to memory
leak.
Free memory allocated for body pointer if session entry is NULL in
lim_process_switch_channel_rsp.
Change-Id: I939aceb3ed993fd1488b72db9df526c1724f0ac5
CRs-Fixed: 2236980
qcacld-2.0 to qcacld-3.0 propagation
Update LDPC flag from Vendor IE instead of VHT capabilities
for VHT20 case.
Change-Id: I7bb916353586529fb78f1caeda68687663e44af2
CRs-Fixed: 2091292
Fix typo in checking mlm status by adding missing
eLIM_MLM_WT_DEL_BSS_RSP_STATE state check in
__lim_process_sme_disassoc_cnf() function.
Change-Id: Id2acde09023ba117e1d938035db9e9a0d7b303b3
CRs-Fixed: 2232883
Association request initiated by the host contains
the RSN capabilities which contains both the flags
of PMF, i.e PMF required and PMF capable. The DUT
may connect to a non PMF AP or only a PMF capable AP,
if the DUT is PMK capable and not PMF required,
but connection to a non PMF AP isnt allowed
if the DUT is configured as PMF required.
In the Association request, the DUT advertises its
RSN capabilities, and accrding to them, the connection
(PMF/non PMF) happens. But these capabilities arent
sent to the firmware, so while roaming, the DUT may
connect to a non-PMF AP, as in the re-assoc request
the DUT would still advertise PMF-REQUIRED as false,
which would be violation of protocol.
Fix is to send these RSN capabilities to the
firmware as part of roam scan offload params,
to have firmware save the configuration, and
send the RE-assoc request with PMF required as
true, if the DUT supports PMF required.
Change-Id: Iff58f7ba3b2fee7a834bd625225bbb3d62f33557
CRs-Fixed: 2234977
In find_ie_defn function, if the current IE is an Ext IE with EID=255,
the third byte of the IE is accessed to get the extn_eid. However, if
the actual buffer length is less than 3, then an OOB read would occur
while trying to access extn_eid.
Add check to access pbuf + 2 for extn_eid only if nbuf is greater than 2.
Change-Id: Id9708176affe35a85eb21a07901ae8ed62b78b9e
CRs-Fixed: 2237141
Add Null pointer check for packet buffer before dereference
it in lim_send_addba_response_frame() API.
Change-Id: I46c637b7534fe200ec586b07e34d9a4baee5ac7e
CRs-Fixed: 2232740
Currently in pe_handle_mgmt_frame, all management frames are posted
into the PE message queue. The beacon and probe response frames are
filtered before posting into the PE message queue, however the PE
message queue can still be flooded with probe request frames.
Post probe request frames via SCAN queue with the appropriate
callback function.
Change-Id: Ie29ad9602d3389af467b8f893624b86265a44421
CRs-Fixed: 2238190
Remove duplicate structs wmi_dual_mac_config and sir_dual_mac_config
and use policy_mgr_dual_mac_config.
Change-Id: I6da6539f519ec46ee274ba3f3ae042e5fd9c25d2
CRs-Fixed: 2190993
In the API lim_send_assoc_req_mgmt_frame, the host
allocates memory for the assoc request packet
taking all inputs of payload and the mac header
size etc, and in case the mem allocation fails
it clears away the memory allocated to the packet
with cds packet free, which was not even allocated
Fix is to remove the packet free in case of memory not
allocated
Change-Id: I3fb75b1947dfe039605c42aa19c2d0bacc7bf55d
CRs-Fixed: 2216741
In the function convert_wsc_opaque, driver does copy of the
new parameters present in the additional IEs of the upstream
assoc request frame. While copy of the IE length pOld->length to
curAddIELen, possible integer truncation could occur, as the
curAddIELen is of the type uint8_t whereas pOld->length is of
type uint16_t.
Change the data type of curAddIELen to uint16_t. Make changes in
convert_p2p_opaque and convert_wfd_opaque as well.
Change-Id: Ic26660fca4a02a265bfc9553b066c7ee42f1d1f4
CRs-Fixed: 2231770
