In lim_process_switch_channel_rsp, if pe_find_session_by_session_id
returns NULL, memory of body pointer is not freed leading to memory
leak.
Free memory allocated for body pointer if session entry is NULL in
lim_process_switch_channel_rsp.
Change-Id: I939aceb3ed993fd1488b72db9df526c1724f0ac5
CRs-Fixed: 2236980
qcacld-2.0 to qcacld-3.0 propagation
Update LDPC flag from Vendor IE instead of VHT capabilities
for VHT20 case.
Change-Id: I7bb916353586529fb78f1caeda68687663e44af2
CRs-Fixed: 2091292
Fix typo in checking mlm status by adding missing
eLIM_MLM_WT_DEL_BSS_RSP_STATE state check in
__lim_process_sme_disassoc_cnf() function.
Change-Id: Id2acde09023ba117e1d938035db9e9a0d7b303b3
CRs-Fixed: 2232883
Association request initiated by the host contains
the RSN capabilities which contains both the flags
of PMF, i.e PMF required and PMF capable. The DUT
may connect to a non PMF AP or only a PMF capable AP,
if the DUT is PMK capable and not PMF required,
but connection to a non PMF AP isnt allowed
if the DUT is configured as PMF required.
In the Association request, the DUT advertises its
RSN capabilities, and accrding to them, the connection
(PMF/non PMF) happens. But these capabilities arent
sent to the firmware, so while roaming, the DUT may
connect to a non-PMF AP, as in the re-assoc request
the DUT would still advertise PMF-REQUIRED as false,
which would be violation of protocol.
Fix is to send these RSN capabilities to the
firmware as part of roam scan offload params,
to have firmware save the configuration, and
send the RE-assoc request with PMF required as
true, if the DUT supports PMF required.
Change-Id: Iff58f7ba3b2fee7a834bd625225bbb3d62f33557
CRs-Fixed: 2234977
In find_ie_defn function, if the current IE is an Ext IE with EID=255,
the third byte of the IE is accessed to get the extn_eid. However, if
the actual buffer length is less than 3, then an OOB read would occur
while trying to access extn_eid.
Add check to access pbuf + 2 for extn_eid only if nbuf is greater than 2.
Change-Id: Id9708176affe35a85eb21a07901ae8ed62b78b9e
CRs-Fixed: 2237141
Add Null pointer check for packet buffer before dereference
it in lim_send_addba_response_frame() API.
Change-Id: I46c637b7534fe200ec586b07e34d9a4baee5ac7e
CRs-Fixed: 2232740
Currently in pe_handle_mgmt_frame, all management frames are posted
into the PE message queue. The beacon and probe response frames are
filtered before posting into the PE message queue, however the PE
message queue can still be flooded with probe request frames.
Post probe request frames via SCAN queue with the appropriate
callback function.
Change-Id: Ie29ad9602d3389af467b8f893624b86265a44421
CRs-Fixed: 2238190
Remove duplicate structs wmi_dual_mac_config and sir_dual_mac_config
and use policy_mgr_dual_mac_config.
Change-Id: I6da6539f519ec46ee274ba3f3ae042e5fd9c25d2
CRs-Fixed: 2190993
In the API lim_send_assoc_req_mgmt_frame, the host
allocates memory for the assoc request packet
taking all inputs of payload and the mac header
size etc, and in case the mem allocation fails
it clears away the memory allocated to the packet
with cds packet free, which was not even allocated
Fix is to remove the packet free in case of memory not
allocated
Change-Id: I3fb75b1947dfe039605c42aa19c2d0bacc7bf55d
CRs-Fixed: 2216741
In the function convert_wsc_opaque, driver does copy of the
new parameters present in the additional IEs of the upstream
assoc request frame. While copy of the IE length pOld->length to
curAddIELen, possible integer truncation could occur, as the
curAddIELen is of the type uint8_t whereas pOld->length is of
type uint16_t.
Change the data type of curAddIELen to uint16_t. Make changes in
convert_p2p_opaque and convert_wfd_opaque as well.
Change-Id: Ic26660fca4a02a265bfc9553b066c7ee42f1d1f4
CRs-Fixed: 2231770
In function update_fils_data, fils_indication->num_variable_data
is the actual length of the data present in the array variable_data.
While accessing variable_data array to copy cache identifier, HESSID
and realm identifiers, the length of the array is not checked and
could lead to OOB access.
Add check to validate remaining data length in variable_data array
before accessing it to copy various fields.
Change-Id: Ifc1f5d55964bcd7fdcc2676ea9c2afede0fe6803
CRs-Fixed: 2231767
As a result of P2P componentization a variety of P2P-related macros
are no longer used, so remove them.
Change-Id: I693c4f11575968ce0aae9f3ecac9e008b0dbf5b9
CRs-Fixed: 2237726
Replace typos "sucess" and "sucessful" with correct spellings
"success" and "successful"
Change-Id: I30746cbab4533da9b052261fa9bb87214188138b
CRs-Fixed: 2237724
