In the API sir_validate_and_rectify_ies, the driver rectifies
the RSN IE, if the AP hasnt filled the RSN capabilities in the
beacon/probe response, but has filled the length of IE as extra
2 bytes meant for the RSN capabilities.The driver tries to repair
these kind of frames and fills the last 2 bytes of RSN IE with
default RSN capabilities, to prevent the failure of unpacking
the IEs in unpack-core. But, the driver may write these default
RSN capabilities into some other allocated memory, because the
allocated memory is only the frame length, which would result
in OOB write.
Fix is to allocate some reserve bytes in the frame
for these type of issues.
Change-Id: I46c7301f3e40f84d2c68ec9ba38702baa6926306
CRs-Fixed: 2232542
Currently when transferring SSID information from the nl80211 TLV to
the internal data structure hdd_fill_pmksa_info() always copies
SIR_MAC_MAX_SSID_LENGTH bytes which can overread the buffer. In order
to prevent overread only copy as many bytes as the TLV contains.
Note that the destination buffer passed to hdd_fill_pmksa_info() is
always zero-filled so no additional zeroing of bytes is required.
Change-Id: I1f6773b70e9e728d6b1ce93ca26417348e96844c
CRs-Fixed: 2237462
In lim_process_switch_channel_rsp, if pe_find_session_by_session_id
returns NULL, memory of body pointer is not freed leading to memory
leak.
Free memory allocated for body pointer if session entry is NULL in
lim_process_switch_channel_rsp.
Change-Id: I939aceb3ed993fd1488b72db9df526c1724f0ac5
CRs-Fixed: 2236980
In a scenario where the below two HDD commands are executed at the
same time from different threads
1. Disconnect which does an RSO Stop and free the pCurRoamProfile
2. Set Blacklist BSSID which does and RSO Update and accessed
the pCurRoamProfile
pCurRoamProfile is accessed in the function csr_roam_offload_scan
after is freed from the other context.
The Disconnect command from HDD is protected under the global SME lock,
however, the set blacklist BSSID path is not protected under SME lock.
There are multiple instances where csr_roam_offload_scan is called
without the SME lock which could lead to similar issues.
Acquire SME lock before csr_roam_offload_scan from callers in
SME/HDD which can be from other threads.
Change-Id: I9666bab0001b56ec01dcf1df0becb36344fb6f9a
CRs-Fixed: 2226423
In function wma_form_rx_packet, mpdu_data_len is calculated as
(buf_len - mpdu_hdr_len). If the value of buf_len is less than
mpdu_hdr_len, then a integer underflow would occur while calculating
mpdu_data_len.
Add sanity check to return invalid if buf_len is less than mpdu_hdr_len.
Change-Id: I4522eadb65f6cd8b210ba071a91e53008eec042c
CRs-Fixed: 2230318
qcacld-2.0 to qcacld-3.0 propagation
Update LDPC flag from Vendor IE instead of VHT capabilities
for VHT20 case.
Change-Id: I7bb916353586529fb78f1caeda68687663e44af2
CRs-Fixed: 2091292
Fix typo in checking mlm status by adding missing
eLIM_MLM_WT_DEL_BSS_RSP_STATE state check in
__lim_process_sme_disassoc_cnf() function.
Change-Id: Id2acde09023ba117e1d938035db9e9a0d7b303b3
CRs-Fixed: 2232883
For LFR2.0 roaming policy, firmware will indicate roam event with
WMI_ROAM_REASON_SUITABLE_AP reason even ROAM_SCAN_OFFLOAD_STOP cmd
set with WMI_ROAM_SCAN_MODE_ROAMOFFLOAD, it doesn't obey LFR2.0
roaming policy design. Root cause is firmware only disable roam
scan with ROAM_SCAN_OFFLOAD_STOP cmd which must set scan mode with
WMI_ROAM_SCAN_MODE_NONE.
Fix is to always set scan mode with WMI_ROAM_SCAN_MODE_NONE for
LFR2.0 when host send ROAM_SCAN_OFFLOAD_STOP cmd.
Change-Id: Id5e8325f2767023daacd3dbd4104ce768de3857d
CRs-Fixed: 2228315
When Pre-Auth is failed, it will go to ROAM_SCAN_OFFLOAD_START
or ROAM_SCAN_OFFLOAD_RESTART process, it always uses zero as
session_id param for csr_roam_offload_scan, it's wrong, session_id
should be variable value.
Fix is to use variable session_id param for csr_roam_offload_scan.
Change-Id: Iaf5f234dc73001440aaf02d7931c7891903f9148
CRs-Fixed: 2239812
DPT_DEBUGFS_PERMS macro has been defined inside
ifdef QCA_SUPPORT_TXRX_LOCAL_PEER_ID. Since this can cause problems
when the above config is not set, defining it outside.
Change-Id: Ibf02f692ddaf0b5de17d647cce27a6e093f7b7df
CRs-Fixed: 2238106
Association request initiated by the host contains
the RSN capabilities which contains both the flags
of PMF, i.e PMF required and PMF capable. The DUT
may connect to a non PMF AP or only a PMF capable AP,
if the DUT is PMK capable and not PMF required,
but connection to a non PMF AP isnt allowed
if the DUT is configured as PMF required.
In the Association request, the DUT advertises its
RSN capabilities, and accrding to them, the connection
(PMF/non PMF) happens. But these capabilities arent
sent to the firmware, so while roaming, the DUT may
connect to a non-PMF AP, as in the re-assoc request
the DUT would still advertise PMF-REQUIRED as false,
which would be violation of protocol.
Fix is to send these RSN capabilities to the
firmware as part of roam scan offload params,
to have firmware save the configuration, and
send the RE-assoc request with PMF required as
true, if the DUT supports PMF required.
Change-Id: Iff58f7ba3b2fee7a834bd625225bbb3d62f33557
CRs-Fixed: 2234977
While SSR happen, hdd_reset_all_adapters will not clear
mac_ctx->sap.sapCtxList[sapctx->sessionId].pSapContext, and later the
sapctx will assign new sessionId after SSR restart SAP and update to
mac_ctx->sap.sapCtxList. So sapctx/old sessionId still can be
referenced by like wlan_sap_is_pre_cac_active and call pre cac cleanup
on unexpected port.
When SAP restart and set global sapCtxList in sap_set_session_param(),
find matched sapctx and clear it before assigning updated value.
Change-Id: Id02733cb22267ac0c1899d8caf9ac47c65e24a88
CRs-Fixed: 2232398
Vdev ref count is incremented in wma_state_info_dump
and not decremented before return. This results in
vdev not deleted physically as part of wlan0 hdd_stop.
On hdd_open, a new vdev is created for wlan0 with same
mac addr as the previous wlan0 vdev. In scan, API to
get vdev by mac addr will return NULL since the first
wlan0 vdev is not physically deleted and not removed from
vdev list.
Fix is to decrement vdev ref count in wma_state_info_dump.
Change-Id: I67c90a721643f5bb7c6e212846f6d398055a6672
CRs-Fixed: 2233997
In find_ie_defn function, if the current IE is an Ext IE with EID=255,
the third byte of the IE is accessed to get the extn_eid. However, if
the actual buffer length is less than 3, then an OOB read would occur
while trying to access extn_eid.
Add check to access pbuf + 2 for extn_eid only if nbuf is greater than 2.
Change-Id: Id9708176affe35a85eb21a07901ae8ed62b78b9e
CRs-Fixed: 2237141
Add Null pointer check for packet buffer before dereference
it in lim_send_addba_response_frame() API.
Change-Id: I46c637b7534fe200ec586b07e34d9a4baee5ac7e
CRs-Fixed: 2232740
'wma' pointer is initialized using the return value of
cds_get_context;This function can return NULL value.
Check for NULL pointer before dereferencing the 'wma'.
Change-Id: I529a34fba91f19bdd6c62d14e97cfabb476cdf7f
CRs-Fixed: 2239647
Currently in pe_handle_mgmt_frame, all management frames are posted
into the PE message queue. The beacon and probe response frames are
filtered before posting into the PE message queue, however the PE
message queue can still be flooded with probe request frames.
Post probe request frames via SCAN queue with the appropriate
callback function.
Change-Id: Ie29ad9602d3389af467b8f893624b86265a44421
CRs-Fixed: 2238190
Remove duplicate structs wmi_dual_mac_config and sir_dual_mac_config
and use policy_mgr_dual_mac_config.
Change-Id: I6da6539f519ec46ee274ba3f3ae042e5fd9c25d2
CRs-Fixed: 2190993
Use correct size to mem zero tCsrRoamConnectedProfile
In csr_roam_save_ndi_connected_info() function.
Change-Id: I54d2bef0bd9202971dff47f9b25d43ff40258630
CRs-Fixed: 2232891
The IOCTL handler mapping code for QCSAP_SET_FW_PROFILE_HIST_INTVL
mistakenly falls through to the next switch case. Add a break to prevent
executing two IOCTL callbacks for QCSAP_SET_FW_PROFILE_HIST_INTVL.
Change-Id: I6b0a17b87c22d1d2be3697456608e8ebe704afed
CRs-Fixed: 2232911
