qcacld-3.0: Release 5.3.1.1L

43ea0b0 qcacld-3.0: Dont pass source argument as nla_data to nla_memcpy 193fd1a Release 5.3.1.1L fc0db5e qcacld-3.0: Use request manager API for RCPI feature 03e6ec8 qcacld-3.0: Add per-chain RSSI prints in WMA layer 06cc9ce qcacld-3.0: Add a NULL check on channels in IOCTL SETROAMSCANCHANNELS c10d8aa qcacld-3.0: Fix buffer overwrite in csr_roam_diag_joined_new_bss() bd75dc7 qcacld-3.0: Fix buffer overwrite in lim_mlm_add_bss() 325214e qcacld-3.0: Fix NULL acs_cfg ptr access 318cfde qcacld-3.0: Avoid possible NULL pointer dereference e34b18d qcacld-3.0: Fix possible OOB issue in ol_tx_desc_update_group_credit c33a8be qcacld-3.0: Fix possible OOB access in ol_rx_reorder_detect_hole 12734b7 qcacld-3.0: Avoid VDEV start for new interface when roaming in progress 7622df0 qcacld-3.0: Reject DISA test vendor command if power save is enabled .................. Bug: 80408179 Change-Id: I474badd9b1f3fc0927f991a1898343832dba93ea Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
author: Srinivas Girigowda <sgirigow@codeaurora.org> 2018-05-29 14:11:53 -0700
committer: Srinivas Girigowda <sgirigow@codeaurora.org> 2018-05-29 14:12:50 -0700
commit: 18be19974f2d830691fb4d11a6474f7f29ab6c9c (patch)
tree: b3b685899d9edbe138e8762e50a40cdbfd956b97 /core/wma/src/wma_mgmt.c
parent: d048a5bcf03239a005407a30fc39da46dc3d7ce0 (diff)
download: qcacld-18be19974f2d830691fb4d11a6474f7f29ab6c9c.tar.gz
1 files changed, 35 insertions, 4 deletions
diff --git a/core/wma/src/wma_mgmt.c b/core/wma/src/wma_mgmt.c
index ea1b718d35..e51a735638 100644
--- a/core/wma/src/wma_mgmt.c
+++ b/core/wma/src/wma_mgmt.c
@@ -3297,6 +3297,13 @@ int wma_process_rmf_frame(tp_wma_handle wma_handle,
 			cds_pkt_return_packet(rx_pkt);
 			return -EINVAL;
 		}
+	if (qdf_nbuf_len(wbuf) < (sizeof(*wh) + IEEE80211_CCMP_HEADERLEN +
+						IEEE80211_CCMP_MICLEN)) {
+		WMA_LOGE("Buffer length less than expected %d ",
+						(int)qdf_nbuf_len(wbuf));
+		cds_pkt_return_packet(rx_pkt);
+		return -EINVAL;
+	}
 
 		orig_hdr = (uint8_t *) qdf_nbuf_data(wbuf);
 		/* Pointer to head of CCMP header */
@@ -3481,6 +3488,7 @@ end:
 }
 
 #define RATE_LIMIT 16
+#define RESERVE_BYTES   100
 /**
  * wma_mgmt_rx_process() - process management rx frame.
  * @handle: wma handle
@@ -3616,9 +3624,28 @@ static int wma_mgmt_rx_process(void *handle, uint8_t *data,
 		qdf_mem_free(rx_pkt);
 		return -EINVAL;
 	}
-
-	/* Why not just use rx_event->hdr.buf_len? */
-	wbuf = qdf_nbuf_alloc(NULL, roundup(hdr->buf_len, 4), 0, 4, false);
+	/*
+	 * Allocate the memory for this rx packet, add extra 100 bytes for:-
+	 *
+	 * 1.  Filling the missing RSN capabilites by some APs, which fill the
+	 *     RSN IE length as extra 2 bytes but dont fill the IE data with
+	 *     capabilities, resulting in failure in unpack core due to length
+	 *     mismatch. Check sir_validate_and_rectify_ies for more info.
+	 *
+	 * 2.  In the API wma_process_rmf_frame(), the driver trims the CCMP
+	 *     header by overwriting the IEEE header to memory occupied by CCMP
+	 *     header, but an overflow is possible if the memory allocated to
+	 *     frame is less than the sizeof(struct ieee80211_frame) +CCMP
+	 *     HEADER len, so allocating 100 bytes would solve this issue too.
+	 *
+	 * 3.  CCMP header is pointing to orig_hdr +
+	 *     sizeof(struct ieee80211_frame) which could also result in OOB
+	 *     access, if the data len is less than
+	 *     sizeof(struct ieee80211_frame), allocating extra bytes would
+	 *     result in solving this issue too.
+	 */
+	wbuf = qdf_nbuf_alloc(NULL, roundup(hdr->buf_len + RESERVE_BYTES,
+							4), 0, 4, false);
 	if (!wbuf) {
 		WMA_LOGE("%s: Failed to allocate wbuf for mgmt rx len(%u)",
 			    __func__, hdr->buf_len);
@@ -3664,7 +3691,7 @@ static int wma_mgmt_rx_process(void *handle, uint8_t *data,
 	mgt_type = (wh)->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
 	mgt_subtype = (wh)->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
 
-	WMA_LOGD(FL("BSSID: "MAC_ADDRESS_STR" snr = %d, Type = %x, Subtype = %x, seq_num = %x, rssi = %d, rssi_raw = %d tsf_delta: %u"),
+	WMA_LOGD(FL("BSSID: "MAC_ADDRESS_STR" snr = %d, Type = %x, Subtype = %x, seq_num = %x, rssi = %d, rssi_raw = %d rssi for chain0 is :- %d, chain1 is %d, tsf_delta: %u"),
 			MAC_ADDR_ARRAY(wh->i_addr3),
 			hdr->snr, mgt_type, mgt_subtype,
 			(((*(uint16_t *)wh->i_seq) &
@@ -3672,6 +3699,10 @@ static int wma_mgmt_rx_process(void *handle, uint8_t *data,
 				IEEE80211_SEQ_SEQ_SHIFT),
 			rx_pkt->pkt_meta.rssi,
 			rx_pkt->pkt_meta.rssi_raw,
+			(rx_pkt->pkt_meta.rssi_per_chain[0] +
+					WMA_NOISE_FLOOR_DBM_DEFAULT),
+			(rx_pkt->pkt_meta.rssi_per_chain[1] +
+					WMA_NOISE_FLOOR_DBM_DEFAULT),
 			hdr->tsf_delta);
 	if (!wma_handle->mgmt_rx) {
 		WMA_LOGE("Not registered for Mgmt rx, dropping the frame");
author	Srinivas Girigowda <sgirigow@codeaurora.org>	2018-05-29 14:11:53 -0700
committer	Srinivas Girigowda <sgirigow@codeaurora.org>	2018-05-29 14:12:50 -0700
commit	18be19974f2d830691fb4d11a6474f7f29ab6c9c (patch)
tree	b3b685899d9edbe138e8762e50a40cdbfd956b97 /core/wma/src/wma_mgmt.c
parent	d048a5bcf03239a005407a30fc39da46dc3d7ce0 (diff)
download	qcacld-18be19974f2d830691fb4d11a6474f7f29ab6c9c.tar.gz