Age | Commit message (Collapse) | Author |
|
Bug: 233576726
Change-Id: I3c7924bb7a7323a7e4fcfcd2bd46329e47281b51
Signed-off-by: Wilson Sung <wilsonsung@google.com>
|
|
Some IoT AP may have duplicate rates in supported rates and
extended rates in beacon, need filter them when populate peer 11a/11b
rates during connect/roaming, or array out of bound issue will happen.
Change-Id: I685e8c07ee147296bfa22742dad4210e7fa02c4a
CRs-Fixed: 3048142
Bug: 211125453
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
|
|
Some IoT AP may have duplicate rates in supported rates and
extended rates in beacon, need filter them when populate peer 11a/11b
rates during connect/roaming, or array out of bound issue will happen.
Change-Id: I685e8c07ee147296bfa22742dad4210e7fa02c4a
CRs-Fixed: 3048142
Bug: 211125453
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
|
|
SBMerger: 410055097
Change-Id: I738f4f0474738ac410d058f9f30004d61113e869
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
SBMerger: 410055097
Change-Id: I77df82e8bc8138277a108fd3a606f4b7d0d34557
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
android-msm-pixel-4.14-sc-v2
May 2022.1
Bug: 218985197
Change-Id: I58239b3ba9e80ba255a5f365c5efb01560b85ad0
|
|
SBMerger: 410055097
Change-Id: Ie73bb874c5a4434d2fad86f2320c634560c86549
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
Avoid OOB read in dot11f_unpack_assoc_response API. Add check
for when nBuf == len to read another byte of pBufRemaining.
Change-Id: Iccdb0b268d16f4169b8b701ade6085d47897f785
CRs-Fixed: 3042293
Bug: 218337597
|
|
Avoid OOB read in dot11f_unpack_assoc_response API. Add check
for when nBuf == len to read another byte of pBufRemaining.
Change-Id: Iccdb0b268d16f4169b8b701ade6085d47897f785
CRs-Fixed: 3042293
Bug: 218337597
|
|
SBMerger: 410055097
Change-Id: I3e0eaca91c777c7a6cf7ee6f2d9e53755856ba1e
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
SBMerger: 410055097
Change-Id: I3bc451de32ecb1dff3c4bdf2cfa890cf876e7891
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
SBMerger: 410055097
Change-Id: Ia3b7a424764eaf4885f598aa2b53c34256f26399
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
SBMerger: 410055097
Change-Id: I8c5e043d476cd4619106f0a6e7f5bff73043714d
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
android-msm-pixel-4.14-sc-qpr1
Jan 2022.1
Bug: 204278308
Change-Id: Ia466ab0112c6ccea9d8f3725dc027312a8a3edfc
|
|
Possible bufer overflow risk in function
wmi_unified_bcn_tmpl_send.
Validate the beacon template length against
WMI_BEACON_TX_BUFFER_SIZE length to avoid overflow.
Change-Id: I98665de677f314f30a57991f48191f847718740c
CRs-Fixed: 2960714
Bug: 202025735
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
|
|
Currently in unpack_tlv_core(), nBufRemaining is validated
after calling framesntohs API. Since, framesntohs() copies
pIn address to pOut address with length = 2 bytes as below.
DOT11F_MEMCPY(pCtx, (uint16_t *)pOut, pIn, 2);
which could cause OOB issue if pIn contains less than 2 bytes.
Fix is to validate the nBufRemaining size before calling
framesntohs().
Change-Id: I3ead03ec948282a410ddba5b01f82ca31d3d9199
Bug: 202465127
CRs-Fixed: 3042282
Signed-off-by: Aditya Kodukula <quic_akodukul@quicinc.com>
|
|
Possible bufer overflow risk in function
wmi_unified_bcn_tmpl_send.
Validate the beacon template length against
WMI_BEACON_TX_BUFFER_SIZE length to avoid overflow.
Change-Id: I98665de677f314f30a57991f48191f847718740c
CRs-Fixed: 2960714
Bug: 202025735
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
|
|
In pe_filter_bcn_probe_frame(), the value of bcn_ssid.length
could be greater than WLAN_SSID_MAX_LEN.
Added a check to prevent possible buffer overflow
Change-Id: I4a5247e9ea8a1c14335935cbe0739fb21a34d1ef
CRs-Fixed: 3028274
Bug: 200234013
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
|
|
Fix OOB case in pe_filter_bcn_probe_frame() for IBSS.
Change-Id: I2838d6232a9c4c1368e51bc445f91724fa4ed0dd
CRs-Fixed: 3028360
Bug: 200923512
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
|
|
SBMerger: 379283923
Change-Id: Ie8bd0c1db2d2970bb9b7f3504fa31c2b2c0057b8
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
In p2p go mode the peer type in wlan peer common object is always
set to P2P_CLI. This leads to non-cancellation of NoA after connecting
to legacy stations. Correct the peer type for legacy stations.
Change-Id: Ib706f9a80d0ad367e27fd21eca6cf026cba63f57
CRs-Fixed: 2406127
Bug: 194132777
Signed-off-by: Aditya Kodukula <quic_akodukul@quicinc.com>
|
|
SBMerger: 379283923
Change-Id: I10738d2456eb9d7266ff0967148b080520db6da1
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
In func aead_decrypt_assoc_rsp(), it calls
find_ie_data_after_fils_session_ie() to find IE pointer after
FILS session IE from the frame payload.
There is possibility of integer underflow if frame payload length is
less than FIXED_PARAM_OFFSET_ASSOC_RSP which may increase value
of buf_len variable in find_ie_data_after_fils_session_ie() and
cause OOB during parsing process.
Validate frame payload length with FIXED_PARAM_OFFSET_ASSOC_RSP,
if it is less then return failure.
Change-Id: I78fbcfeaa1058fcf2a6fe47cd5c26390b54974af
CRs-Fixed: 2859024
Bug: 193070701
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
|
|
SBMerger: 379283923
Change-Id: I326bc45db10234241488915c0a7192b9c4cee45d
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
Currently driver does not subtract the already filled length
from the max available length when it copies the number of
radios to the llstats result buffer which may lead to buffer
overflow.
To address this issue subtract already filled length from the
max available length when driver copies the number of radios.
Change-Id: Ie3b93121df603bd65250f0b0a49bb049d353211d
CRs-Fixed: 2969637
Bug: 189164671
Signed-off-by: Aditya Kodukula <quic_akodukul@quicinc.com>
|
|
SBMerger: 351186807
Change-Id: Ibf5d4b281ee072c6f23c6bcfd49b1b22b3bb41e2
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
Signed-off-by: Lucas Wei <lucaswei@google.com>
|
|
SBMerger: 351186807
Change-Id: I03f1170e00df3a30269cf34aa064e4dc8b40ae44
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
Signed-off-by: Lucas Wei <lucaswei@google.com>
|
|
In case where peer itself exhibits BA window size more
than the allowed value, crash can happen. So, limit the
BA window size to maximum allowed BA buffer size in case
peer BA req buffer size is more than it.
Change-Id: Ie695b9787b555616a5443077147d4bc3a3aefb78
CRs-Fixed: 2766363
Bug: 182634675
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
|
|
In case where peer itself exhibits BA window size more
than the allowed value, crash can happen. So, limit the
BA window size to maximum allowed BA buffer size in case
peer BA req buffer size is more than it.
Change-Id: Ie695b9787b555616a5443077147d4bc3a3aefb78
CRs-Fixed: 2766363
Bug: 182634675
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
|
|
Do not intrabss forward fragmented EAPOL frames that have
DA different from the SAP vdev mac addr.
Change-Id: I4145227c9b02fe8cec86ef4ffc3bc2025f906923
CRs-Fixed: 2888467
Bug: 182958222
|
|
Fragmented EAPOL frames and EAPOL frames received
in few error scenarios with DA different from SAP
vdev mac addr will be dropped.
Change-Id: I624eba5bdb43c6b88a1f57112550f8026cc35e24
CRs-Fixed: 2888227
Bug: 182958222
|
|
Fragments are not flushed as part of rekey which
could result in fragments encrypted under different
keys to be reassembled.
Fix is to flush fragments for the peer for which add
key request is received.
Change-Id: I0c018ff7375272125c62aaea7b8ad4df9e842508
CRs-Fixed: 2875950
Bug: 182958222
|
|
Currently MIC verification is not proper for fragmented packets,
fix MIC verification for helium family.
Change-Id: Iac95c579287bafedf6521b38f2c628fd08cca72d
CRs-Fixed: 2869483
Bug: 182958222
|
|
Multicast frames should not be fragmented and plaintext
frags should not be reassembeld in protected network.
Fix is to drop mcast frags and plaintext frags received
in protected network.
Change-Id: I98cf0715f5832f2f86f86b79dbdbc3a7c86dbfd0
CRs-Fixed: 2860245
Bug: 182958222
|
|
Modify check to ensure packet number is consecutive for
fragments and drop the fragments if the check fails.
Change-Id: Ica24f65aff65ca58bb010c876f27964b5b2bae6a
CRs-Fixed: 2860242
Bug: 182958222
|
|
Do not intrabss forward EAPOL frames received in IPA
exception path.
Change-Id: I0be68ec2c186a7b64d4d2f1c3de7dbb20e49d860
CRs-Fixed: 2860225
Bug: 182958222
|
|
Drop non-EAPOL/WAPI frames from unauthorized peer received
in the IPA exception path.
Change-Id: I0c0bc6e60efa193126ba1e3eca36c5e02f7f76a3
CRs-Fixed: 2860206
Bug: 182958222
|
|
Add support for flushing fragments for a particular peer.
Change-Id: I91236d2edc73317380590458b974013a02e858a1
CRs-Fixed: 2860131
Bug: 182958222
|
|
Do not intrabss forward fragmented EAPOL frames that have
DA different from the SAP vdev mac addr.
Change-Id: I4145227c9b02fe8cec86ef4ffc3bc2025f906923
CRs-Fixed: 2888467
Bug: 182958222
|
|
Fragmented EAPOL frames and EAPOL frames received
in few error scenarios with DA different from SAP
vdev mac addr will be dropped.
Change-Id: I624eba5bdb43c6b88a1f57112550f8026cc35e24
CRs-Fixed: 2888227
Bug: 182958222
|
|
Fragments are not flushed as part of rekey which
could result in fragments encrypted under different
keys to be reassembled.
Fix is to flush fragments for the peer for which add
key request is received.
Change-Id: I0c018ff7375272125c62aaea7b8ad4df9e842508
CRs-Fixed: 2875950
Bug: 182958222
|
|
Currently MIC verification is not proper for fragmented packets,
fix MIC verification for helium family.
Change-Id: Iac95c579287bafedf6521b38f2c628fd08cca72d
CRs-Fixed: 2869483
Bug: 182958222
|
|
Multicast frames should not be fragmented and plaintext
frags should not be reassembeld in protected network.
Fix is to drop mcast frags and plaintext frags received
in protected network.
Change-Id: I98cf0715f5832f2f86f86b79dbdbc3a7c86dbfd0
CRs-Fixed: 2860245
Bug: 182958222
|
|
Modify check to ensure packet number is consecutive for
fragments and drop the fragments if the check fails.
Change-Id: Ica24f65aff65ca58bb010c876f27964b5b2bae6a
CRs-Fixed: 2860242
Bug: 182958222
|
|
Do not intrabss forward EAPOL frames received in IPA
exception path.
Change-Id: I0be68ec2c186a7b64d4d2f1c3de7dbb20e49d860
CRs-Fixed: 2860225
Bug: 182958222
|
|
Drop non-EAPOL/WAPI frames from unauthorized peer received
in the IPA exception path.
Change-Id: I0c0bc6e60efa193126ba1e3eca36c5e02f7f76a3
CRs-Fixed: 2860206
Bug: 182958222
|
|
Add support for flushing fragments for a particular peer.
Change-Id: I91236d2edc73317380590458b974013a02e858a1
CRs-Fixed: 2860131
Bug: 182958222
|
|
SBMerger: 351186807
Change-Id: Ibbe3230db12fafcd02a224c2632ad2adf4e7f4ef
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
Hardware filters are supported for STA and P2P client modes only.
It's not supported/configured for NDI mode but the
WMI_HW_DATA_FILTER_CMDID is sent to firmware with disable flag
to flush the filter. Avoid sending it for NDI vdev.
Change-Id: I34d87a4d00138386affcedecd20b7ccc90fbd05e
CRs-Fixed: 2795980
Bug: 178831106
Signed-off-by: Aditya Kodukula <quic_akodukul@quicinc.com>
|
|
Hardware filters are supported for STA and P2P client modes only.
It's not supported/configured for NDI mode but the
WMI_HW_DATA_FILTER_CMDID is sent to firmware with disable flag
to flush the filter. Avoid sending it for NDI vdev.
Change-Id: I34d87a4d00138386affcedecd20b7ccc90fbd05e
CRs-Fixed: 2795980
Bug: 178831106
Signed-off-by: Aditya Kodukula <quic_akodukul@quicinc.com>
|