diff options
author | Utkarsh Bhatnagar <ubhatnag@codeaurora.org> | 2021-03-16 17:50:31 +0530 |
---|---|---|
committer | Paul Chen <chenpaul@google.com> | 2021-03-30 09:14:39 +0000 |
commit | 1a6f8ea3698beb6065782118ef9665f1fc794f3c (patch) | |
tree | 7d3956e24a2ddbdaf5521d8b55ac65d92ef7be3a | |
parent | 4d4683efed3e1ffc2bee16a84d2b3275325505ff (diff) | |
download | qcacld-1a6f8ea3698beb6065782118ef9665f1fc794f3c.tar.gz |
qcacld-3.0: Limit the BA window buffer sizeandroid-11.0.0_r0.99android-11.0.0_r0.94android-11.0.0_r0.85android-11.0.0_r0.114android-11.0.0_r0.104android-msm-sunfish-4.14-android11-qpr3
In case where peer itself exhibits BA window size more
than the allowed value, crash can happen. So, limit the
BA window size to maximum allowed BA buffer size in case
peer BA req buffer size is more than it.
Change-Id: Ie695b9787b555616a5443077147d4bc3a3aefb78
CRs-Fixed: 2766363
Bug: 182634675
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
-rw-r--r-- | core/mac/inc/sir_mac_prot_def.h | 2 | ||||
-rw-r--r-- | core/mac/src/pe/lim/lim_process_action_frame.c | 25 |
2 files changed, 25 insertions, 2 deletions
diff --git a/core/mac/inc/sir_mac_prot_def.h b/core/mac/inc/sir_mac_prot_def.h index 69fc4fb571..4d68f3d9b3 100644 --- a/core/mac/inc/sir_mac_prot_def.h +++ b/core/mac/inc/sir_mac_prot_def.h @@ -160,6 +160,8 @@ #define SIR_MAC_BA_AMSDU_SUPPORTED 1 #define SIR_MAC_BA_DEFAULT_BUFF_SIZE 64 +#define MAX_BA_BUFF_SIZE 256 + #ifdef ANI_SUPPORT_11H #define SIR_MAC_ACTION_MEASURE_REQUEST_ID 0 #define SIR_MAC_ACTION_MEASURE_REPORT_ID 1 diff --git a/core/mac/src/pe/lim/lim_process_action_frame.c b/core/mac/src/pe/lim/lim_process_action_frame.c index 22951c3c39..5eb281bb97 100644 --- a/core/mac/src/pe/lim/lim_process_action_frame.c +++ b/core/mac/src/pe/lim/lim_process_action_frame.c @@ -1672,6 +1672,9 @@ static void lim_process_addba_req(tpAniSirGlobal mac_ctx, uint8_t *rx_pkt_info, uint8_t peer_id; void *soc = cds_get_context(QDF_MODULE_ID_SOC); void *peer, *pdev; + tpDphHashNode sta_ds; + uint16_t aid, buff_size; + bool he_cap = false; pdev = cds_get_context(QDF_MODULE_ID_TXRX); if (!pdev) { @@ -1712,12 +1715,30 @@ static void lim_process_addba_req(tpAniSirGlobal mac_ctx, uint8_t *rx_pkt_info, goto error; } + sta_ds = dph_lookup_hash_entry(mac_ctx, mac_hdr->sa, &aid, + &session->dph.dphHashTable); + if (sta_ds && lim_is_session_he_capable(session)) + he_cap = lim_is_sta_he_capable(sta_ds); + if (sta_ds && sta_ds->staType == STA_ENTRY_NDI_PEER) + he_cap = lim_is_session_he_capable(session); + + if (he_cap) + buff_size = MAX_BA_BUFF_SIZE; + else + buff_size = SIR_MAC_BA_DEFAULT_BUFF_SIZE; + + if (mac_ctx->usr_cfg_ba_buff_size) + buff_size = mac_ctx->usr_cfg_ba_buff_size; + + if (addba_req->addba_param_set.buff_size) + buff_size = QDF_MIN(buff_size, + addba_req->addba_param_set.buff_size); + qdf_status = cdp_addba_requestprocess(soc, peer, addba_req->DialogToken.token, addba_req->addba_param_set.tid, addba_req->ba_timeout.timeout, - addba_req->addba_param_set.buff_size, - addba_req->ba_start_seq_ctrl.ssn); + buff_size, addba_req->ba_start_seq_ctrl.ssn); cdp_peer_release_ref(soc, peer, PEER_DEBUG_ID_WMA_ADDBA_REQ); |