summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2022-05-23Syncup 8585584 to tm related branchesandroid-t-beta-4_r0.2android-t-beta-4_r0.1android-t-beta-3.3_r0.2android-t-beta-3.3_r0.1android-t-beta-3.2_r0.2android-t-beta-3.2_r0.1android-13.0.0_r0.2android-13.0.0_r0.17android-13.0.0_r0.16android-13.0.0_r0.12android-13.0.0_r0.11android-13.0.0_r0.1android-msm-sunfish-4.14-t-beta-4android-msm-sunfish-4.14-t-beta-3android-msm-coral-4.14-t-beta-4android-msm-coral-4.14-t-beta-3Wilson Sung
Bug: 233576726 Change-Id: I3c7924bb7a7323a7e4fcfcd2bd46329e47281b51 Signed-off-by: Wilson Sung <wilsonsung@google.com>
2022-05-12qcacld-3.0: Fix array OOB for duplicate rateJianmin Zhu
Some IoT AP may have duplicate rates in supported rates and extended rates in beacon, need filter them when populate peer 11a/11b rates during connect/roaming, or array out of bound issue will happen. Change-Id: I685e8c07ee147296bfa22742dad4210e7fa02c4a CRs-Fixed: 3048142 Bug: 211125453 Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
2022-03-30qcacld-3.0: Fix array OOB for duplicate rateJianmin Zhu
Some IoT AP may have duplicate rates in supported rates and extended rates in beacon, need filter them when populate peer 11a/11b rates during connect/roaming, or array out of bound issue will happen. Change-Id: I685e8c07ee147296bfa22742dad4210e7fa02c4a CRs-Fixed: 3048142 Bug: 211125453 Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
2022-03-13Merge android-msm-pixel-4.14-sc-qpr3 into android-msm-pixel-4.14android-t-beta-3_r0.2android-t-beta-3_r0.1android-t-beta-2_r0.2android-t-beta-2_r0.1android-msm-sunfish-4.14-t-beta-2android-msm-coral-4.14-t-beta-2PixelBot AutoMerger
SBMerger: 410055097 Change-Id: I738f4f0474738ac410d058f9f30004d61113e869 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
2022-03-13Merge android-msm-pixel-4.14-sc-v2 into android-msm-pixel-4.14-sc-qpr3android-s-qpr3-beta-3_r0.2android-s-qpr3-beta-3_r0.1android-12.1.0_r0.32android-12.1.0_r0.31android-12.1.0_r0.25android-12.1.0_r0.24android-msm-sunfish-4.14-s-qpr3-beta-3android-msm-sunfish-4.14-android12-qpr3android-msm-coral-4.14-s-qpr3-beta-3android-msm-coral-4.14-android12-qpr3PixelBot AutoMerger
SBMerger: 410055097 Change-Id: I77df82e8bc8138277a108fd3a606f4b7d0d34557 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
2022-03-08Merge branch 'android-msm-pixel-4.14-sc-security' into ↵android-12.1.0_r0.19android-12.1.0_r0.18android-msm-sunfish-4.14-android12Landroid-msm-coral-4.14-android12LEva Huang
android-msm-pixel-4.14-sc-v2 May 2022.1 Bug: 218985197 Change-Id: I58239b3ba9e80ba255a5f365c5efb01560b85ad0
2022-03-06Merge android-msm-pixel-4.14-sc-qpr3 into android-msm-pixel-4.14PixelBot AutoMerger
SBMerger: 410055097 Change-Id: Ie73bb874c5a4434d2fad86f2320c634560c86549 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
2022-03-01qcacld-3.0: Avoid OOB read in dot11f_unpack_assoc_responseGururaj Pandurangi
Avoid OOB read in dot11f_unpack_assoc_response API. Add check for when nBuf == len to read another byte of pBufRemaining. Change-Id: Iccdb0b268d16f4169b8b701ade6085d47897f785 CRs-Fixed: 3042293 Bug: 218337597
2022-03-01qcacld-3.0: Avoid OOB read in dot11f_unpack_assoc_responseGururaj Pandurangi
Avoid OOB read in dot11f_unpack_assoc_response API. Add check for when nBuf == len to read another byte of pBufRemaining. Change-Id: Iccdb0b268d16f4169b8b701ade6085d47897f785 CRs-Fixed: 3042293 Bug: 218337597
2022-01-16Merge android-msm-pixel-4.14-sc-qpr3 into android-msm-pixel-4.14android-t-preview-2_r0.2android-t-preview-2_r0.1android-t-beta-1_r0.2android-t-beta-1_r0.1android-msm-sunfish-4.14-t-preview-2android-msm-sunfish-4.14-t-beta-1android-msm-coral-4.14-t-preview-2android-msm-coral-4.14-t-beta-1PixelBot AutoMerger
SBMerger: 410055097 Change-Id: I3e0eaca91c777c7a6cf7ee6f2d9e53755856ba1e Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
2022-01-16Merge android-msm-pixel-4.14-sc-v2 into android-msm-pixel-4.14-sc-qpr3android-s-qpr3-beta-2_r0.2android-s-qpr3-beta-2_r0.1android-s-qpr3-beta-1_r0.2android-s-qpr3-beta-1_r0.1android-msm-sunfish-4.14-s-qpr3-beta-2android-msm-coral-4.14-s-qpr3-beta-2PixelBot AutoMerger
SBMerger: 410055097 Change-Id: I3bc451de32ecb1dff3c4bdf2cfa890cf876e7891 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
2022-01-09Merge android-msm-pixel-4.14-sc-v2 into android-msm-pixel-4.14PixelBot AutoMerger
SBMerger: 410055097 Change-Id: Ia3b7a424764eaf4885f598aa2b53c34256f26399 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
2022-01-09Merge android-msm-pixel-4.14-sc-qpr1 into android-msm-pixel-4.14-sc-v2android-s-v2-beta-3_r0.3android-s-v2-beta-3_r0.2android-12.1.0_r0.3android-12.1.0_r0.2android-12.1.0_r0.13android-12.1.0_r0.12android-msm-sunfish-4.14-s-v2-beta-3android-msm-coral-4.14-s-v2-beta-3PixelBot AutoMerger
SBMerger: 410055097 Change-Id: I8c5e043d476cd4619106f0a6e7f5bff73043714d Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
2021-11-24Merge branch 'android-msm-pixel-4.14-sc-security' into ↵android-12.0.0_r0.39android-12.0.0_r0.38android-12.0.0_r0.33android-12.0.0_r0.32android-msm-sunfish-4.14-android12-qpr1android-msm-coral-4.14-android12-qpr1Eva Huang
android-msm-pixel-4.14-sc-qpr1 Jan 2022.1 Bug: 204278308 Change-Id: Ia466ab0112c6ccea9d8f3725dc027312a8a3edfc
2021-11-05qcacld-3.0: Possible buffer overflow issue in wmaabhinav kumar
Possible bufer overflow risk in function wmi_unified_bcn_tmpl_send. Validate the beacon template length against WMI_BEACON_TX_BUFFER_SIZE length to avoid overflow. Change-Id: I98665de677f314f30a57991f48191f847718740c CRs-Fixed: 2960714 Bug: 202025735 Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
2021-10-25qcacld-3.0: Fix possible OOB in unpack_tlv_coreandroid-s-v2-beta-2_r0.3android-s-v2-beta-2_r0.2android-s-v2-beta-1_r0.3android-s-v2-beta-1_r0.2android-msm-sunfish-4.14-s-v2-beta-1android-msm-sunfish-4.14-android12-v2-beta-2android-msm-coral-4.14-s-v2-beta-1android-msm-coral-4.14-android12-v2-beta-2Aditya Kodukula
Currently in unpack_tlv_core(), nBufRemaining is validated after calling framesntohs API. Since, framesntohs() copies pIn address to pOut address with length = 2 bytes as below. DOT11F_MEMCPY(pCtx, (uint16_t *)pOut, pIn, 2); which could cause OOB issue if pIn contains less than 2 bytes. Fix is to validate the nBufRemaining size before calling framesntohs(). Change-Id: I3ead03ec948282a410ddba5b01f82ca31d3d9199 Bug: 202465127 CRs-Fixed: 3042282 Signed-off-by: Aditya Kodukula <quic_akodukul@quicinc.com>
2021-10-25qcacld-3.0: Possible buffer overflow issue in wmaabhinav kumar
Possible bufer overflow risk in function wmi_unified_bcn_tmpl_send. Validate the beacon template length against WMI_BEACON_TX_BUFFER_SIZE length to avoid overflow. Change-Id: I98665de677f314f30a57991f48191f847718740c CRs-Fixed: 2960714 Bug: 202025735 Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
2021-10-25qcacld-3.0: Fix buffer overflow in pe_filter_bcn_probe_frame()VIJAY RAJ
In pe_filter_bcn_probe_frame(), the value of bcn_ssid.length could be greater than WLAN_SSID_MAX_LEN. Added a check to prevent possible buffer overflow Change-Id: I4a5247e9ea8a1c14335935cbe0739fb21a34d1ef CRs-Fixed: 3028274 Bug: 200234013 Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
2021-10-25qcacld-3.0: Fix OOB case in pe_filter_bcn_probe_frame()Utkarsh Bhatnagar
Fix OOB case in pe_filter_bcn_probe_frame() for IBSS. Change-Id: I2838d6232a9c4c1368e51bc445f91724fa4ed0dd CRs-Fixed: 3028360 Bug: 200923512 Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
2021-09-26Merge android-msm-pixel-4.14-sc-qpr1 into android-msm-pixel-4.14android-t-preview-1_r0.2android-t-preview-1_r0.1android-msm-sunfish-4.14-t-preview-1android-msm-coral-4.14-t-preview-1PixelBot AutoMerger
SBMerger: 379283923 Change-Id: Ie8bd0c1db2d2970bb9b7f3504fa31c2b2c0057b8 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
2021-09-08qcacld-3.0: Set the correct the peer type in p2p go modeandroid-12.0.0_r0.23android-12.0.0_r0.22Aditya Kodukula
In p2p go mode the peer type in wlan peer common object is always set to P2P_CLI. This leads to non-cancellation of NoA after connecting to legacy stations. Correct the peer type for legacy stations. Change-Id: Ib706f9a80d0ad367e27fd21eca6cf026cba63f57 CRs-Fixed: 2406127 Bug: 194132777 Signed-off-by: Aditya Kodukula <quic_akodukul@quicinc.com>
2021-08-08Merge android-msm-pixel-4.14-sc into android-msm-pixel-4.14PixelBot AutoMerger
SBMerger: 379283923 Change-Id: I10738d2456eb9d7266ff0967148b080520db6da1 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
2021-07-29qcacld-3.0: Fix integer underflow in assoc response frameandroid-s-beta-5_r0.4android-s-beta-5_r0.3android-12.0.0_r0.5android-12.0.0_r0.4android-12.0.0_r0.13android-12.0.0_r0.12android-msm-sunfish-4.14-s-beta-5android-msm-sunfish-4.14-android12android-msm-coral-4.14-s-beta-5android-msm-coral-4.14-android12Jyoti Kumari
In func aead_decrypt_assoc_rsp(), it calls find_ie_data_after_fils_session_ie() to find IE pointer after FILS session IE from the frame payload. There is possibility of integer underflow if frame payload length is less than FIXED_PARAM_OFFSET_ASSOC_RSP which may increase value of buf_len variable in find_ie_data_after_fils_session_ie() and cause OOB during parsing process. Validate frame payload length with FIXED_PARAM_OFFSET_ASSOC_RSP, if it is less then return failure. Change-Id: I78fbcfeaa1058fcf2a6fe47cd5c26390b54974af CRs-Fixed: 2859024 Bug: 193070701 Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
2021-07-04Merge android-msm-pixel-4.14-sc into android-msm-pixel-4.14PixelBot AutoMerger
SBMerger: 379283923 Change-Id: I326bc45db10234241488915c0a7192b9c4cee45d Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
2021-07-02qcacld-3.0: Avoid buffer overflow in llstats debugfs responseandroid-s-beta-4_r0.4android-s-beta-4_r0.3android-msm-sunfish-4.14-s-beta-4android-msm-coral-4.14-s-beta-4Aditya Kodukula
Currently driver does not subtract the already filled length from the max available length when it copies the number of radios to the llstats result buffer which may lead to buffer overflow. To address this issue subtract already filled length from the max available length when driver copies the number of radios. Change-Id: Ie3b93121df603bd65250f0b0a49bb049d353211d CRs-Fixed: 2969637 Bug: 189164671 Signed-off-by: Aditya Kodukula <quic_akodukul@quicinc.com>
2021-04-12Merge android-msm-pixel-4.14-rvc-qpr3 into android-msm-pixel-4.14android-s-beta-3_r0.4android-s-beta-3_r0.3android-s-beta-2_r0.4android-s-beta-2_r0.3android-msm-sunfish-4.14-s-beta-3android-msm-sunfish-4.14-s-beta-2android-msm-coral-4.14-s-beta-3android-msm-coral-4.14-s-beta-2Lucas Wei
SBMerger: 351186807 Change-Id: Ibf5d4b281ee072c6f23c6bcfd49b1b22b3bb41e2 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com> Signed-off-by: Lucas Wei <lucaswei@google.com>
2021-04-12Merge android-msm-floral-4.14-rvc-qpr3 into android-msm-pixel-4.14Lucas Wei
SBMerger: 351186807 Change-Id: I03f1170e00df3a30269cf34aa064e4dc8b40ae44 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com> Signed-off-by: Lucas Wei <lucaswei@google.com>
2021-03-30qcacld-3.0: Limit the BA window buffer sizeandroid-11.0.0_r0.99android-11.0.0_r0.94android-11.0.0_r0.85android-11.0.0_r0.114android-11.0.0_r0.104android-msm-sunfish-4.14-android11-qpr3Utkarsh Bhatnagar
In case where peer itself exhibits BA window size more than the allowed value, crash can happen. So, limit the BA window size to maximum allowed BA buffer size in case peer BA req buffer size is more than it. Change-Id: Ie695b9787b555616a5443077147d4bc3a3aefb78 CRs-Fixed: 2766363 Bug: 182634675 Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
2021-03-30qcacld-3.0: Limit the BA window buffer sizeandroid-11.0.0_r0.98android-11.0.0_r0.93android-11.0.0_r0.84android-11.0.0_r0.113android-11.0.0_r0.103android-msm-coral-4.14-android11-qpr3Utkarsh Bhatnagar
In case where peer itself exhibits BA window size more than the allowed value, crash can happen. So, limit the BA window size to maximum allowed BA buffer size in case peer BA req buffer size is more than it. Change-Id: Ie695b9787b555616a5443077147d4bc3a3aefb78 CRs-Fixed: 2766363 Bug: 182634675 Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
2021-03-23qcacld-3.0: Do not intrabss forward fragmented EAPOL framesYeshwanth Sriram Guntuka
Do not intrabss forward fragmented EAPOL frames that have DA different from the SAP vdev mac addr. Change-Id: I4145227c9b02fe8cec86ef4ffc3bc2025f906923 CRs-Fixed: 2888467 Bug: 182958222
2021-03-23qcacld-3.0: Drop EAPOL frame with DA different from SAP vdev mac addrYeshwanth Sriram Guntuka
Fragmented EAPOL frames and EAPOL frames received in few error scenarios with DA different from SAP vdev mac addr will be dropped. Change-Id: I624eba5bdb43c6b88a1f57112550f8026cc35e24 CRs-Fixed: 2888227 Bug: 182958222
2021-03-23qcacld-3.0: Flush frags for peer on add key requestYeshwanth Sriram Guntuka
Fragments are not flushed as part of rekey which could result in fragments encrypted under different keys to be reassembled. Fix is to flush fragments for the peer for which add key request is received. Change-Id: I0c018ff7375272125c62aaea7b8ad4df9e842508 CRs-Fixed: 2875950 Bug: 182958222
2021-03-23qcacld-3.0: Fix MIC verification in helium familyKarthik Kantamneni
Currently MIC verification is not proper for fragmented packets, fix MIC verification for helium family. Change-Id: Iac95c579287bafedf6521b38f2c628fd08cca72d CRs-Fixed: 2869483 Bug: 182958222
2021-03-23qcacld-3.0: Drop mcast and plaintext frags in protected networkYeshwanth Sriram Guntuka
Multicast frames should not be fragmented and plaintext frags should not be reassembeld in protected network. Fix is to drop mcast frags and plaintext frags received in protected network. Change-Id: I98cf0715f5832f2f86f86b79dbdbc3a7c86dbfd0 CRs-Fixed: 2860245 Bug: 182958222
2021-03-23qcacld-3.0: Modify check to ensure consecutive PN for fragsYeshwanth Sriram Guntuka
Modify check to ensure packet number is consecutive for fragments and drop the fragments if the check fails. Change-Id: Ica24f65aff65ca58bb010c876f27964b5b2bae6a CRs-Fixed: 2860242 Bug: 182958222
2021-03-23qcacld-3.0: Do not intrabss fwd EAPOL frames in IPA exc pathYeshwanth Sriram Guntuka
Do not intrabss forward EAPOL frames received in IPA exception path. Change-Id: I0be68ec2c186a7b64d4d2f1c3de7dbb20e49d860 CRs-Fixed: 2860225 Bug: 182958222
2021-03-23qcacld-3.0: Drop non-EAPOL/WAPI frames from unauthorized peerYeshwanth Sriram Guntuka
Drop non-EAPOL/WAPI frames from unauthorized peer received in the IPA exception path. Change-Id: I0c0bc6e60efa193126ba1e3eca36c5e02f7f76a3 CRs-Fixed: 2860206 Bug: 182958222
2021-03-23qcacld-3.0: Add support to flush fragments for a particular peerYeshwanth Sriram Guntuka
Add support for flushing fragments for a particular peer. Change-Id: I91236d2edc73317380590458b974013a02e858a1 CRs-Fixed: 2860131 Bug: 182958222
2021-03-23qcacld-3.0: Do not intrabss forward fragmented EAPOL framesYeshwanth Sriram Guntuka
Do not intrabss forward fragmented EAPOL frames that have DA different from the SAP vdev mac addr. Change-Id: I4145227c9b02fe8cec86ef4ffc3bc2025f906923 CRs-Fixed: 2888467 Bug: 182958222
2021-03-23qcacld-3.0: Drop EAPOL frame with DA different from SAP vdev mac addrYeshwanth Sriram Guntuka
Fragmented EAPOL frames and EAPOL frames received in few error scenarios with DA different from SAP vdev mac addr will be dropped. Change-Id: I624eba5bdb43c6b88a1f57112550f8026cc35e24 CRs-Fixed: 2888227 Bug: 182958222
2021-03-23qcacld-3.0: Flush frags for peer on add key requestYeshwanth Sriram Guntuka
Fragments are not flushed as part of rekey which could result in fragments encrypted under different keys to be reassembled. Fix is to flush fragments for the peer for which add key request is received. Change-Id: I0c018ff7375272125c62aaea7b8ad4df9e842508 CRs-Fixed: 2875950 Bug: 182958222
2021-03-23qcacld-3.0: Fix MIC verification in helium familyKarthik Kantamneni
Currently MIC verification is not proper for fragmented packets, fix MIC verification for helium family. Change-Id: Iac95c579287bafedf6521b38f2c628fd08cca72d CRs-Fixed: 2869483 Bug: 182958222
2021-03-23qcacld-3.0: Drop mcast and plaintext frags in protected networkYeshwanth Sriram Guntuka
Multicast frames should not be fragmented and plaintext frags should not be reassembeld in protected network. Fix is to drop mcast frags and plaintext frags received in protected network. Change-Id: I98cf0715f5832f2f86f86b79dbdbc3a7c86dbfd0 CRs-Fixed: 2860245 Bug: 182958222
2021-03-23qcacld-3.0: Modify check to ensure consecutive PN for fragsYeshwanth Sriram Guntuka
Modify check to ensure packet number is consecutive for fragments and drop the fragments if the check fails. Change-Id: Ica24f65aff65ca58bb010c876f27964b5b2bae6a CRs-Fixed: 2860242 Bug: 182958222
2021-03-23qcacld-3.0: Do not intrabss fwd EAPOL frames in IPA exc pathYeshwanth Sriram Guntuka
Do not intrabss forward EAPOL frames received in IPA exception path. Change-Id: I0be68ec2c186a7b64d4d2f1c3de7dbb20e49d860 CRs-Fixed: 2860225 Bug: 182958222
2021-03-23qcacld-3.0: Drop non-EAPOL/WAPI frames from unauthorized peerYeshwanth Sriram Guntuka
Drop non-EAPOL/WAPI frames from unauthorized peer received in the IPA exception path. Change-Id: I0c0bc6e60efa193126ba1e3eca36c5e02f7f76a3 CRs-Fixed: 2860206 Bug: 182958222
2021-03-23qcacld-3.0: Add support to flush fragments for a particular peerYeshwanth Sriram Guntuka
Add support for flushing fragments for a particular peer. Change-Id: I91236d2edc73317380590458b974013a02e858a1 CRs-Fixed: 2860131 Bug: 182958222
2021-02-28Merge android-msm-pixel-4.14-rvc-qpr3 into android-msm-pixel-4.14android-s-preview-3_r0.4android-s-preview-3_r0.3android-s-beta-1_r0.4android-s-beta-1_r0.3android-msm-sunfish-4.14-s-preview-3android-msm-sunfish-4.14-s-beta-1android-msm-coral-4.14-s-preview-3android-msm-coral-4.14-s-beta-1PixelBot AutoMerger
SBMerger: 351186807 Change-Id: Ibbe3230db12fafcd02a224c2632ad2adf4e7f4ef Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
2021-02-23qcacld-3.0: Don't delete hw_filter for NDI modeAditya Kodukula
Hardware filters are supported for STA and P2P client modes only. It's not supported/configured for NDI mode but the WMI_HW_DATA_FILTER_CMDID is sent to firmware with disable flag to flush the filter. Avoid sending it for NDI vdev. Change-Id: I34d87a4d00138386affcedecd20b7ccc90fbd05e CRs-Fixed: 2795980 Bug: 178831106 Signed-off-by: Aditya Kodukula <quic_akodukul@quicinc.com>
2021-02-23qcacld-3.0: Don't delete hw_filter for NDI modeAditya Kodukula
Hardware filters are supported for STA and P2P client modes only. It's not supported/configured for NDI mode but the WMI_HW_DATA_FILTER_CMDID is sent to firmware with disable flag to flush the filter. Avoid sending it for NDI vdev. Change-Id: I34d87a4d00138386affcedecd20b7ccc90fbd05e CRs-Fixed: 2795980 Bug: 178831106 Signed-off-by: Aditya Kodukula <quic_akodukul@quicinc.com>
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-21 19:08:53 +0000