| Age | Commit message (Collapse) | Author |
|---|
|
If the requested info field in beacon report request is present,
the driver tries to allocate memory for the target beacon report
EIDs from the number of requested EIDs received from the frame.
Since the number of requested EIDs is directly controlled by the
frame sent by AP, validate this value before using it to allocate
memory.
Bug: 144843138
Change-Id: Icbac3e952de0d7ae3144e9b319f2c51ccdf93ac5
CRs-Fixed: 2571480
Signed-off-by: Sunil Ravi <sunilravi@google.com>
|
|
Currently the driver does not mark the SRD channels
as passive which leads to hostapd starting P2P-GO
on a SRD channel, but since driver does not allow
the same, P2P-GO fails.
Fix is to inform the wiphy about the SRD channels by
making them as passive so that the hostpad does not
give the command to start the P2P-GO on the particular
SRD channel.
Change-Id: I5eaa457b8819d7a22d2e592d1b79fff15b364f40
CRs-Fixed: 2491045
Bug: 138939517
Signed-off-by: Vinay Gannevaram <quic_vganneva@quicinc.com>
|
|
If 11w is enabled, mmie should be included in broadcast
multicast rmf, length check need consider it to avoid buffer
overflow
CRs-Fixed: 2270117
Bug: 139890137
Change-Id: I6c2ebe18fb5b6e4246ba6d28c1dbc55175279e30
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
|
|
In hdd_apf_read_memory_cb, context buffer length is checked
against sum of packet offset and event length, packet offset
and event length are extracted from FW response and can lead
to integer overflow, which will allow to pass the length check
and eventually will lead to buffer overwrite when event data is
copied to context buffer.
To avoid this issue, validate the event length against the
available length in the context buffer, which can be obtained
by getting difference of packet offset from the context buffer
length.
Change-Id: I53798e56403f1c550f0a762645ccd67a1dc8500d
CRs-Fixed: 2436502
Bug: 139886621
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
|
|
in wma_ibss_peer_info_event_handler, the driver has a upper
bound check on num_peers and not a lower bound check.
the num_peers should be a positive value.
Since there is no check to see if num_peers is set to 0,
this check can underflow and result in multiple OOB writes
once the loop has incremented more than 32 times.
Fix is to check whether num_peers is a positive value,
and return if not found true.
Change-Id: I599151cc6720ed931142ad6a519add6957fea467
CRs-Fixed: 2324139
Bug: 139886106
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
|
|
Currently the function lim_process_assoc_req_frame uses frame_len
without validation to parse the IE buffer which could lead to
out-of-bounds memory access if the frame_len is less than or
equal to LIM_ASSOC_REQ_IE_OFFSET(4).
Add check to validate the frame_len with LIM_ASSOC_REQ_IE_OFFSET
before sending frame_len - LIM_ASSOC_REQ_IE_OFFSET to
cfg_get_vendor_ie_ptr_from_oui to parse the only IE buffer.
Change-Id: Iaa9e8db4a2605169c9ad3904878a2e626eb6de8b
CRs-Fixed: 2259707
Bug: 139883000
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
|
|
When first WMI_RADIO_LINK_STATS_EVENTID is received radio stats buffer
is allocated based on num_radio param. There is an option for pending
following events. So update wma_unified_link_radio_stats_event_handler
to check if following events are valid wrt num_radio values to avoid
buffer overwrites.
Change-Id: If4675bada5492c3bae98c655b45cac6dc76b6431
CRs-Fixed: 2309399
Bug: 139882999
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
|
|
QBSS IE uses min length of 4 bytes for version 1 and
min length of 5 bytes for version 2. Min length used
for IE is 5 bytes in driver which can cause WPA IE
parse failure if QBSS IE is 4 bytes resulting in failure
in fetching scan results due to security mismatch and
subsequently connection failure.
Fix is to skip the IE which has length less than the
minimum valid length.
Regression cause is I8e42fb7e9674845d152d2ec26a592e02a1b562ab.
Change-Id: I00fbffad221e2d9ecedcb87c9607ac8abd7c55b1
CRs-Fixed: 2364663
Bug: 138641772
Signed-off-by: Vinay Gannevaram <quic_vganneva@quicinc.com>
|
|
qcacld-2.0 to qcacld-3.0 propagation.
Some stations send association request with zero length of SuppChannels
IE then currently dot11f decodes it to an invalid value.
To fix this, set the minsize of SuppChannels IE to 2.
Change-Id: If44807d2f2b8a62e5a137ca3d17af2e2654f72f2
CRs-Fixed: 2303702
Bug: 138641772
Signed-off-by: Vinay Gannevaram <quic_vganneva@quicinc.com>
|
|
Currently ch 144 is disabled by default for
world reg rules.
Enable channel 144 by default for world reg
rules.
Change-Id: Id6e8f7db21380e052a1fe6ebff3db95437c7f1a8
CRs-Fixed: 2509880
Bug: 138389722
Signed-off-by: Vinay Gannevaram <quic_vganneva@quicinc.com>
|
|
Currently the driver sends the CSA IEs in the
beacon every beacon interval, and updates the
CSA IE count in every beacon.
If the wlan gets suspended in between the
updation of CSA IEs, the CSA is delayed
till the next resume, which could lead to
STA kickout event, if there is delay between
the CSA period, and the channel switch time.
Fix is to take a wakelock till CSA is completed
in order to avoid the STA kickout.
Bug: 138612266
Change-Id: Iff03476433c755cbddc7568ffbd24ddb81fd1c90
CRs-Fixed: 2504039
Signed-off-by: Rajeev Kumar <quic_rajekuma@quicinc.com>
|
|
Change-Id: Ied6e4b8f2a2c9cc2fefb989bffb83816b6694212
Signed-off-by: Petri Gynther <pgynther@google.com>
|
|
Remove all calls to cdp_remove_peers_for_vdev().
cdp_remove_peers_for_vdev() is called from vdev_resp_handler
to remove all vdev peers. All the peers associated with the vdev
are deleted before vdev stop and hence this call to
cdp_remove_peers_for_vdev() is redundant.
Delete only the self peer and remove the code to delete the
vdev peers.
Change-Id: I8a91509917a371b860058a66831d8417b3a78671
CRs-Fixed: 2002372
Bug: 135964915
Signed-off-by: Vinay Gannevaram <quic_vganneva@quicinc.com>
|
|
Currently, channel switch validated as true only in case of
safe channel. For unsafe channel, channel switch will be failed.
Change-Id: Ic1d11525c8ad5d93ffb31e5802083e73956704c0
CRs-Fixed: 2494488
Bug: 135760299
Signed-off-by: Vinay Gannevaram <quic_vganneva@quicinc.com>
|
|
In wma_unified_radio_tx_mem_free() function, results buffer array may be
dereferenced with large index value, that may result OOB memory access.
Fix the same by correcting incrementing pointer to results buffer.
Change-Id: I57a26dba9db32758c7d7fd51b99d3364a8020a9d
CRs-Fixed: 2308644
Bug: 136197213
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
|
|
When scheduler thread is suspended, it will not process
any messages until it is resumed. If messages are posted
to scheduler thread when it is suspended, it will lead
to KP due to scheduler buffer becoming full.
Add check for hdd_ctx->hdd_wlan_suspended in __hdd_tx_timeout
before posting any message to scheduler.
Change-Id: Ic0bc6ec0dda23e2a6eaf59adb21f0bca5f2707df
Bug: 133292713
CRs-Fixed: 2428339
|
|
android-msm-pixel-4.9-qt
|
|
android-msm-pixel-4.9-qt
|
|
Currently host is caching all the connected sta info
in case of SAP, once the sta count reaches to MAX, below
mentioned issues occurs:
1. Driver can not cache the information of newly connected
stations.
2. Some of the info is cached at the time of connection while
remaining info is cached during disconnection. In the
disconnect path driver tries to cache some of the info
such mc_bc count, disconnect reason code, since driver can't
cache anymore info, it does not find the current station which
is getting disconnected in cache sta info structure leading to
an error, and driver is returning an error without completing
the wait for disconnect event which is resulting in timeout.
Since sta_disconnect comes with rtnl_held, any other process
is not able to get the rtnl_lock until this timeout occurs.
To address this issue below mentioned two measures taken care:
Clear the oldest cached sta information and save the newly connected
station's information.
In the disconnect path, do not return any error and simply proceed
with disconnection as failure to cache the information of sta
should not stop the disconnection process.
Bug: 132884821
Bug: 133284357
Change-Id: Ia955a6774033fdfa91ff1fa7c8832b3ec7e8e1a0
CRs-Fixed: 2333075
Signed-off-by: hsuvictor <hsuvictor@google.com>
|
|
When sending keepalive packets if there is failure in mapping
request id to pattern id in function -
hdd_map_req_id_to_pattern_id(), error code EINVAL is returned.
This error code is misleading and not sufficient to inform the
userspace that all available buffers are utilized and it should
stop sending keepalive packets.
Return proper error code if all available buffers are utilized
and no buffers are available to address any new request to send
keepalive packets.
Change-Id: Ie54299a0a7ff43a7044316d641d19ce12ac047c8
CRs-Fixed: 2445981
Bug: 130214647
Signed-off-by: Rajeev Kumar <quic_rajekuma@quicinc.com>
|
|
* changes:
qcacld-3.0: Packet stat collection failure
qcacld-3.0: Log pkt_stats to logger thread for sw_event
wlan: Enable pktlog when verbose log on.
|
|
Change made I7fd67b02c3b7cb4f1bfe7c6f4641f6d881e25abd
to fix possible NULL dereference of pkt_stats_dump
caused pkt stats collection to fail as pkt_stats_dump
is NULL from cds_pkt_stats_to_logger_thread.
Move NULL check for pkt_stats_dump to just before
it is dereferenced
Change-Id: I0f4c9d58f0d4d17d6c26bfbbd79f6447dd52230b
Bug: 131812584
CRs-Fixed: 2358139
Signed-off-by: Rajeev Kumar <quic_rajekuma@quicinc.com>
|
|
pktlog log types were received as individual log types
like PKTLOG_TYPE_TX_CTRL, PKTLOG_TYPE_RC_FIND, etc.
As per the current implementation, FW sends an
aggregated log type as PKTLOG_TYPE_SW_EVENT.
This aggregated log type event is not logged to
userspace.
Log sw_event pkt_stats to logger thread in
process_sw_event.
Change-Id: I5b12ecce25af6395a10eb7c7452a7eeb042d7c0a
Bug: 131812584
CRs-Fixed: 2396980
Signed-off-by: Rajeev Kumar <quic_rajekuma@quicinc.com>
|
|
In current desgin, packet fate will start logging when log level change to
“”WLAN_LOG_LEVEL_ACTIVE. But in current design, no any use case will change log level to
“WLAN_LOG_LEVEL_ACTIVE”. We use “WLAN_LOG_LEVEL_REPRO” when user turn on wifi
verbose logging in developer option. Change log level check to enable pktlog with verbose on.
Bug:131812584
Test: Manual Test
Change-Id: Ib472a33ef237639713ab489f7ad6e867b7c72b01
Signed-off-by: lesl <lesl@google.com>
(cherry picked from commit ee26a7207181f75fc144149b30c1e30b2152e03e)
|
|
* changes:
qcacld-3.0: Purge neighbor report cache if unsolicited
qcacld-3.0: Post scan req on priority to sme queue
|
|
android-msm-pixel-4.9
|
|
* changes:
qcacld-3.0: Packet stat collection failure
qcacld-3.0: Log pkt_stats to logger thread for sw_event
|
|
In current desgin, packet fate will start logging when log level change to
“”WLAN_LOG_LEVEL_ACTIVE. But in current design, no any use case will change log level to
“WLAN_LOG_LEVEL_ACTIVE”. We use “WLAN_LOG_LEVEL_REPRO” when user turn on wifi
verbose logging in developer option. Change log level check to enable pktlog with verbose on.
Bug:131812584
Test: Manual Test
Change-Id: Ib472a33ef237639713ab489f7ad6e867b7c72b01
Signed-off-by: lesl <lesl@google.com>
(cherry picked from commit ee26a7207181f75fc144149b30c1e30b2152e03e)
|
|
Propagation from qcacld-2.0 to qcacld-3.0
If AP sends unsolicited neighbor reports to station proactively,
the cached neighbor report list will grow longer and longer.
Fix it by purging the cache on reception of unsolicited neighbor report.
Change-Id: I2458607041caeb84cb553aa1b9fc6f4029a5cf1c
Bug: 131740036
CRs-Fixed: 2419615
Signed-off-by: Rajeev Kumar <quic_rajekuma@quicinc.com>
|
|
If sme queue has many req pending and scan req is posted with low
priority the scan req may not get processed for long time. This
may lead to hdd_scan_inactivity_timer trigger and assert.
To fix this post the scan req to sme queue with priority so that
it will get processed before other pending commands in sme queue.
Change-Id: I503837a906ee9b14290c1cf681a83c17b699f6a7
Bug: 131740036
CRs-Fixed: 2452594
Signed-off-by: Rajeev Kumar <quic_rajekuma@quicinc.com>
|
|
Change made I7fd67b02c3b7cb4f1bfe7c6f4641f6d881e25abd
to fix possible NULL dereference of pkt_stats_dump
caused pkt stats collection to fail as pkt_stats_dump
is NULL from cds_pkt_stats_to_logger_thread.
Move NULL check for pkt_stats_dump to just before
it is dereferenced
Change-Id: I0f4c9d58f0d4d17d6c26bfbbd79f6447dd52230b
Bug: 131812584
CRs-Fixed: 2358139
Signed-off-by: Rajeev Kumar <quic_rajekuma@quicinc.com>
|
|
pktlog log types were received as individual log types
like PKTLOG_TYPE_TX_CTRL, PKTLOG_TYPE_RC_FIND, etc.
As per the current implementation, FW sends an
aggregated log type as PKTLOG_TYPE_SW_EVENT.
This aggregated log type event is not logged to
userspace.
Log sw_event pkt_stats to logger thread in
process_sw_event.
Change-Id: I5b12ecce25af6395a10eb7c7452a7eeb042d7c0a
Bug: 131812584
CRs-Fixed: 2396980
Signed-off-by: Rajeev Kumar <quic_rajekuma@quicinc.com>
|
|
Enable CONFIG_WLAN_FEATURE_SARV1_TO_SARV2.
Bug: 111415903
Bug: 132575109
Change-Id: Ic917cee4cc0b413a37bc69df68345708d546e30b
CRs-Fixed: 2282071
Signed-off-by: hsuvictor <hsuvictor@google.com>
|
|
android-msm-pixel-4.9" into android-msm-pixel-4.9
|
|
JULY 2019.3
Bug: 131238381
Change-Id: Id3104b91d16a9364af2ec03665b899cd7968c240
Signed-off-by: Kelly Rossmoyer <krossmo@google.com>
|
|
JULY 2019.2
Bug: 131238381
Change-Id: I9d2d60ec3d84a7af7b1aa30440723789ee8eef56
Signed-off-by: Kelly Rossmoyer <krossmo@google.com>
|
|
android-msm-bonito-4.9-pi-dr2
JULY 2019.1
Bug: 131238381
Change-Id: I5e9d0a593e0e45e5088a04a7f0f45957fce58842
Signed-off-by: Kelly Rossmoyer <krossmo@google.com>
|
|
JULY 2019.5
Bug: 131239907
Change-Id: I2b19fe60ab5349b88e347a0f618b85d25b320d50
Signed-off-by: Kelly Rossmoyer <krossmo@google.com>
|
|
android-msm-bluecross-4.9-pi-qpr3
JULY 2019.4
Bug: 131239907
Change-Id: I16e9dbe0de5f938dabb665ec4196b5713919fca1
Signed-off-by: Kelly Rossmoyer <krossmo@google.com>
|
|
android-msm-bluecross-4.9-pi-qpr2
JULY 2019.3
Bug: 131239907
Change-Id: Iee30975dc5eceececdedcd5761b1245cf64e316b
Signed-off-by: Kelly Rossmoyer <krossmo@google.com>
|
|
android-msm-bluecross-4.9-pi-qpr1
JULY 2019.2
Bug: 131239907
Change-Id: I7e9e8789f82227828fb6e9e1f3ec23f463bc2726
Signed-off-by: Kelly Rossmoyer <krossmo@google.com>
|
|
android-msm-bluecross-4.9-pi-dr1
JULY 2019.1
Bug: 131239907
Change-Id: I2ebaaa4724fad59e83bcb7b2e1b7473820e480f5
Signed-off-by: Kelly Rossmoyer <krossmo@google.com>
|
|
into android-msm-bonito-4.9-pi-dr2-security-next
|
|
When beacon report request action frame is received,
rrm_process_beacon_report_req() is called and num_channels value
is calculated from the action frame directly from user. This
value is assigned to pSmeBcnReportReq->channelList.numChannels
and this num channels value along with the channel list is
posted to sme for further processing. The sme function
sme_rrm_process_beacon_report_req_ind() processes this sme
message eWNI_SME_BEACON_REPORT_REQ_IND. In this function,
the channels in channel list are looped through the received
value pBeaconReq->channelList.numChannels and is copied to the
destination pSmeRrmContext->channelList array from the
pBeaconReq->channelList.channelNumber[] array.
The maximum possible number of channels in channel list
BeaconReq->channelList.channelNumber[] allocated statically
in the definition of tSirChannelList is
SIR_ESE_MAX_MEAS_IE_REQS (8).
So when the pBeaconReq->channelList.numChannels, possible OOB
read occurs.
Validate the value of pBeaconReq->channelList.numChannels
received from the action frame against the maximum supported
number of channels in channel list SIR_ESE_MAX_MEAS_IE_REQS (8).
Place this validation inside the function
sme_rrm_process_beacon_report_req_ind() instead of validating it
at rrm_process_beacon_report_req() so that it defends from other
caller sme_set_ese_beacon_request() which is from user space
command through IOCTL.
Bug: 130890737
Change-Id: I2074b04081328ceab7eeb29c33631a635e9d93c3
CRs-Fixed: 2335974
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
|
|
In the function cfg80211_rx_mgmt, data_len is calculated as
len - ieee80211_hdrlen(mgmt->frame_control). Len is not
validated before this calculation. So a possible integer
underflow will occur if len value is less than the value of
ieee80211_hdrlen(mgmt->frame_control).
Validate the value of len against
ieee80211_hdrlen(mgmt->frame_control) in the caller.
Bug: 129850941
Change-Id: Iae776daf37b0c052bd4ce4da44ea728d121eae51
CRs-Fixed: 2263758
Signed-off-by: hsuvictor <hsuvictor@google.com>
|
|
In wma_set_stakey key_params is memset to 0 in first loop for num_key
while being used in subsequent loops for num_key.
So with key_params all zero the vdev id used to send for next key is
always 0.
So memset key_params after loop before returning from wma_set_stakey.
Change-Id: I3990a5c5017f068bb41914c6e38c4e8c2155bb19
CRs-Fixed: 2441622
Bug: 130662095
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
|
|
In the function cfg80211_rx_mgmt, data_len is calculated as
len - ieee80211_hdrlen(mgmt->frame_control). Len is not
validated before this calculation. So a possible integer
underflow will occur if len value is less than the value of
ieee80211_hdrlen(mgmt->frame_control).
Validate the value of len against
ieee80211_hdrlen(mgmt->frame_control) in the caller.
Bug: 129850941
Change-Id: Iae776daf37b0c052bd4ce4da44ea728d121eae51
CRs-Fixed: 2263758
Signed-off-by: Samuel Wang <wangsamuel@google.com>
|
|
When beacon report request action frame is received,
rrm_process_beacon_report_req() is called and num_channels value
is calculated from the action frame directly from user. This
value is assigned to pSmeBcnReportReq->channelList.numChannels
and this num channels value along with the channel list is
posted to sme for further processing. The sme function
sme_rrm_process_beacon_report_req_ind() processes this sme
message eWNI_SME_BEACON_REPORT_REQ_IND. In this function,
the channels in channel list are looped through the received
value pBeaconReq->channelList.numChannels and is copied to the
destination pSmeRrmContext->channelList array from the
pBeaconReq->channelList.channelNumber[] array.
The maximum possible number of channels in channel list
BeaconReq->channelList.channelNumber[] allocated statically
in the definition of tSirChannelList is
SIR_ESE_MAX_MEAS_IE_REQS (8).
So when the pBeaconReq->channelList.numChannels, possible OOB
read occurs.
Validate the value of pBeaconReq->channelList.numChannels
received from the action frame against the maximum supported
number of channels in channel list SIR_ESE_MAX_MEAS_IE_REQS (8).
Place this validation inside the function
sme_rrm_process_beacon_report_req_ind() instead of validating it
at rrm_process_beacon_report_req() so that it defends from other
caller sme_set_ese_beacon_request() which is from user space
command through IOCTL.
Bug: 130890737
Change-Id: I2074b04081328ceab7eeb29c33631a635e9d93c3
CRs-Fixed: 2335974
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
|
|
Reason code is extracted from frame data without validating
the frame len which could result in out of bound access.
Fix is to validate frame len before extracting reason
code from frame data.
Bug: 78530292
Test: Regression
Change-Id: I00795a806abcae903dd0daa019aeab990aedc3a7
CRs-Fixed: 2253984
Signed-off-by: Ahmed ElArabawy <arabawy@google.com>
(cherry picked from commit 756f27166a048786d38f9e8c0b40a3ab69828aa6)
|
|
android-msm-pixel-4.9" into android-msm-pixel-4.9
|
