Age | Commit message (Collapse) | Author |
|
Currently in unpack_tlv_core(), nBufRemaining is validated
after calling framesntohs API. Since, framesntohs() copies
pIn address to pOut address with length = 2 bytes as below.
DOT11F_MEMCPY(pCtx, (uint16_t *)pOut, pIn, 2);
which could cause OOB issue if pIn contains less than 2 bytes.
Fix is to validate the nBufRemaining size before calling
framesntohs().
Change-Id: I3ead03ec948282a410ddba5b01f82ca31d3d9199
Bug: 202465127
CRs-Fixed: 3042282
Signed-off-by: Aditya Kodukula <quic_akodukul@quicinc.com>
|
|
Possible bufer overflow risk in function
wmi_unified_bcn_tmpl_send.
Validate the beacon template length against
WMI_BEACON_TX_BUFFER_SIZE length to avoid overflow.
Change-Id: I98665de677f314f30a57991f48191f847718740c
CRs-Fixed: 2960714
Bug: 202025735
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
|
|
In pe_filter_bcn_probe_frame(), the value of bcn_ssid.length
could be greater than WLAN_SSID_MAX_LEN.
Added a check to prevent possible buffer overflow
Change-Id: I4a5247e9ea8a1c14335935cbe0739fb21a34d1ef
CRs-Fixed: 3028274
Bug: 200234013
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
|
|
Fix OOB case in pe_filter_bcn_probe_frame() for IBSS.
Change-Id: I2838d6232a9c4c1368e51bc445f91724fa4ed0dd
CRs-Fixed: 3028360
Bug: 200923512
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
|
|
In p2p go mode the peer type in wlan peer common object is always
set to P2P_CLI. This leads to non-cancellation of NoA after connecting
to legacy stations. Correct the peer type for legacy stations.
Change-Id: Ib706f9a80d0ad367e27fd21eca6cf026cba63f57
CRs-Fixed: 2406127
Bug: 194132777
Signed-off-by: Aditya Kodukula <quic_akodukul@quicinc.com>
|
|
In func aead_decrypt_assoc_rsp(), it calls
find_ie_data_after_fils_session_ie() to find IE pointer after
FILS session IE from the frame payload.
There is possibility of integer underflow if frame payload length is
less than FIXED_PARAM_OFFSET_ASSOC_RSP which may increase value
of buf_len variable in find_ie_data_after_fils_session_ie() and
cause OOB during parsing process.
Validate frame payload length with FIXED_PARAM_OFFSET_ASSOC_RSP,
if it is less then return failure.
Change-Id: I78fbcfeaa1058fcf2a6fe47cd5c26390b54974af
CRs-Fixed: 2859024
Bug: 193070701
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
|
|
Currently driver does not subtract the already filled length
from the max available length when it copies the number of
radios to the llstats result buffer which may lead to buffer
overflow.
To address this issue subtract already filled length from the
max available length when driver copies the number of radios.
Change-Id: Ie3b93121df603bd65250f0b0a49bb049d353211d
CRs-Fixed: 2969637
Bug: 189164671
Signed-off-by: Aditya Kodukula <quic_akodukul@quicinc.com>
|
|
SBMerger: 351186807
Change-Id: Ibf5d4b281ee072c6f23c6bcfd49b1b22b3bb41e2
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
Signed-off-by: Lucas Wei <lucaswei@google.com>
|
|
SBMerger: 351186807
Change-Id: I03f1170e00df3a30269cf34aa064e4dc8b40ae44
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
Signed-off-by: Lucas Wei <lucaswei@google.com>
|
|
In case where peer itself exhibits BA window size more
than the allowed value, crash can happen. So, limit the
BA window size to maximum allowed BA buffer size in case
peer BA req buffer size is more than it.
Change-Id: Ie695b9787b555616a5443077147d4bc3a3aefb78
CRs-Fixed: 2766363
Bug: 182634675
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
|
|
In case where peer itself exhibits BA window size more
than the allowed value, crash can happen. So, limit the
BA window size to maximum allowed BA buffer size in case
peer BA req buffer size is more than it.
Change-Id: Ie695b9787b555616a5443077147d4bc3a3aefb78
CRs-Fixed: 2766363
Bug: 182634675
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
|
|
Do not intrabss forward fragmented EAPOL frames that have
DA different from the SAP vdev mac addr.
Change-Id: I4145227c9b02fe8cec86ef4ffc3bc2025f906923
CRs-Fixed: 2888467
Bug: 182958222
|
|
Fragmented EAPOL frames and EAPOL frames received
in few error scenarios with DA different from SAP
vdev mac addr will be dropped.
Change-Id: I624eba5bdb43c6b88a1f57112550f8026cc35e24
CRs-Fixed: 2888227
Bug: 182958222
|
|
Fragments are not flushed as part of rekey which
could result in fragments encrypted under different
keys to be reassembled.
Fix is to flush fragments for the peer for which add
key request is received.
Change-Id: I0c018ff7375272125c62aaea7b8ad4df9e842508
CRs-Fixed: 2875950
Bug: 182958222
|
|
Currently MIC verification is not proper for fragmented packets,
fix MIC verification for helium family.
Change-Id: Iac95c579287bafedf6521b38f2c628fd08cca72d
CRs-Fixed: 2869483
Bug: 182958222
|
|
Multicast frames should not be fragmented and plaintext
frags should not be reassembeld in protected network.
Fix is to drop mcast frags and plaintext frags received
in protected network.
Change-Id: I98cf0715f5832f2f86f86b79dbdbc3a7c86dbfd0
CRs-Fixed: 2860245
Bug: 182958222
|
|
Modify check to ensure packet number is consecutive for
fragments and drop the fragments if the check fails.
Change-Id: Ica24f65aff65ca58bb010c876f27964b5b2bae6a
CRs-Fixed: 2860242
Bug: 182958222
|
|
Do not intrabss forward EAPOL frames received in IPA
exception path.
Change-Id: I0be68ec2c186a7b64d4d2f1c3de7dbb20e49d860
CRs-Fixed: 2860225
Bug: 182958222
|
|
Drop non-EAPOL/WAPI frames from unauthorized peer received
in the IPA exception path.
Change-Id: I0c0bc6e60efa193126ba1e3eca36c5e02f7f76a3
CRs-Fixed: 2860206
Bug: 182958222
|
|
Add support for flushing fragments for a particular peer.
Change-Id: I91236d2edc73317380590458b974013a02e858a1
CRs-Fixed: 2860131
Bug: 182958222
|
|
Do not intrabss forward fragmented EAPOL frames that have
DA different from the SAP vdev mac addr.
Change-Id: I4145227c9b02fe8cec86ef4ffc3bc2025f906923
CRs-Fixed: 2888467
Bug: 182958222
|
|
Fragmented EAPOL frames and EAPOL frames received
in few error scenarios with DA different from SAP
vdev mac addr will be dropped.
Change-Id: I624eba5bdb43c6b88a1f57112550f8026cc35e24
CRs-Fixed: 2888227
Bug: 182958222
|
|
Fragments are not flushed as part of rekey which
could result in fragments encrypted under different
keys to be reassembled.
Fix is to flush fragments for the peer for which add
key request is received.
Change-Id: I0c018ff7375272125c62aaea7b8ad4df9e842508
CRs-Fixed: 2875950
Bug: 182958222
|
|
Currently MIC verification is not proper for fragmented packets,
fix MIC verification for helium family.
Change-Id: Iac95c579287bafedf6521b38f2c628fd08cca72d
CRs-Fixed: 2869483
Bug: 182958222
|
|
Multicast frames should not be fragmented and plaintext
frags should not be reassembeld in protected network.
Fix is to drop mcast frags and plaintext frags received
in protected network.
Change-Id: I98cf0715f5832f2f86f86b79dbdbc3a7c86dbfd0
CRs-Fixed: 2860245
Bug: 182958222
|
|
Modify check to ensure packet number is consecutive for
fragments and drop the fragments if the check fails.
Change-Id: Ica24f65aff65ca58bb010c876f27964b5b2bae6a
CRs-Fixed: 2860242
Bug: 182958222
|
|
Do not intrabss forward EAPOL frames received in IPA
exception path.
Change-Id: I0be68ec2c186a7b64d4d2f1c3de7dbb20e49d860
CRs-Fixed: 2860225
Bug: 182958222
|
|
Drop non-EAPOL/WAPI frames from unauthorized peer received
in the IPA exception path.
Change-Id: I0c0bc6e60efa193126ba1e3eca36c5e02f7f76a3
CRs-Fixed: 2860206
Bug: 182958222
|
|
Add support for flushing fragments for a particular peer.
Change-Id: I91236d2edc73317380590458b974013a02e858a1
CRs-Fixed: 2860131
Bug: 182958222
|
|
SBMerger: 351186807
Change-Id: Ibbe3230db12fafcd02a224c2632ad2adf4e7f4ef
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
Hardware filters are supported for STA and P2P client modes only.
It's not supported/configured for NDI mode but the
WMI_HW_DATA_FILTER_CMDID is sent to firmware with disable flag
to flush the filter. Avoid sending it for NDI vdev.
Change-Id: I34d87a4d00138386affcedecd20b7ccc90fbd05e
CRs-Fixed: 2795980
Bug: 178831106
Signed-off-by: Aditya Kodukula <quic_akodukul@quicinc.com>
|
|
Hardware filters are supported for STA and P2P client modes only.
It's not supported/configured for NDI mode but the
WMI_HW_DATA_FILTER_CMDID is sent to firmware with disable flag
to flush the filter. Avoid sending it for NDI vdev.
Change-Id: I34d87a4d00138386affcedecd20b7ccc90fbd05e
CRs-Fixed: 2795980
Bug: 178831106
Signed-off-by: Aditya Kodukula <quic_akodukul@quicinc.com>
|
|
Currently lim_strip_ie strips the matched IEs from given buffer
but return only last matched IE. All the previous IEs matched to
the given type are lost. Fix this to strip and extract all IEs
matched to given type.
This is to address the case when multiple vendor specific IEs are
given from userspace. Current implementation returns only
last vendor specific IE. This is to fix the same.
Change-Id: I64ca5d2e679b8457dc2cbaf7b4b12dc0a840260d
CRs-Fixed: 2499592
Bug: 170058356
Signed-off-by: Aditya Kodukula <quic_akodukul@quicinc.com>
|
|
To process vdev start response fail event or wma vdev start timeout
event, host uses bssIdx of bss param as vdev ID, but host doesn't
update vdev ID in bssIdx of bss param while filling wma req for vdev
start req.
Hence update bssIdx of bss param with vdev id from start response or
wma req vdev ID.
Change-Id: I2132bbe6b7ced8c5631d10efad17666413b5a403
CRs-Fixed: 2860053
Bug: 178297222
Signed-off-by: Aditya Kodukula <quic_akodukul@quicinc.com>
|
|
Host updates self rsn caps to firmware using RSO commands. Host uses
rsn caps stored in CSR session's "rsn_caps" member which is
intersection of self and AP's rsn caps. To correctly update self rsn
caps to FW, save self rsn caps in csr session's "rsn_caps" member.
Change-Id: I396758382ec4228289406610006cfdbc8a4c16c5
CRs-fixed: 2832369
Bug: 175365015
Signed-off-by: Rajeev Kumar <quic_rajekuma@quicinc.com>
|
|
Currently, lim silently drops the association if it fails to
post ASSOC_IND due to some reason(e.g. invalid contents of
assoc request) and the MLM state is stuck in
eLIM_MLM_WT_ASSOC_CNF_STATE. Station context is not cleaned up
till the next association. Gracefully cleanup the association
in such failure cases.
Change-Id: Iede43a1ddc4ac6ef300af02776b153b58dd70c2c
CRs-Fixed: 2810235
Bug: 177955534
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
|
|
Host sent peer create command to firmware
before the previous peer delete response
is received for the same client.
In failure scenario, lim is not waiting for the peer
delete response and removing the sta ds entry from
the session. If new association request is received
from same client then host is trying to send peer
create command to firmware.
Change-Id: I63fa2b3290ffc0592d2c8c12ff3a144e513dc5f2
CRs-Fixed: 2829911
Bug: 177955534
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
|
|
Currently lim_strip_ie strips the matched IEs from given buffer
but return only last matched IE. All the previous IEs matched to
the given type are lost. Fix this to strip and extract all IEs
matched to given type.
This is to address the case when multiple vendor specific IEs are
given from userspace. Current implementation returns only
last vendor specific IE. This is to fix the same.
Change-Id: I64ca5d2e679b8457dc2cbaf7b4b12dc0a840260d
CRs-Fixed: 2499592
Bug: 170058356
Signed-off-by: Aditya Kodukula <quic_akodukul@quicinc.com>
|
|
Host sent peer create command to firmware
before the previous peer delete response
is received for the same client.
In failure scenario, lim is not waiting for the peer
delete response and removing the sta ds entry from
the session. If new association request is received
from same client then host is trying to send peer
create command to firmware.
Change-Id: I63fa2b3290ffc0592d2c8c12ff3a144e513dc5f2
CRs-Fixed: 2829911
Bug: 177955534
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
|
|
Currently, lim silently drops the association if it fails to
post ASSOC_IND due to some reason(e.g. invalid contents of
assoc request) and the MLM state is stuck in
eLIM_MLM_WT_ASSOC_CNF_STATE. Station context is not cleaned up
till the next association. Gracefully cleanup the association
in such failure cases.
Change-Id: Iede43a1ddc4ac6ef300af02776b153b58dd70c2c
CRs-Fixed: 2810235
Bug: 177955534
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
|
|
Host updates self rsn caps to firmware using RSO commands. Host uses
rsn caps stored in CSR session's "rsn_caps" member which is
intersection of self and AP's rsn caps. To correctly update self rsn
caps to FW, save self rsn caps in csr session's "rsn_caps" member.
Change-Id: I396758382ec4228289406610006cfdbc8a4c16c5
CRs-fixed: 2832369
Bug: 175365015
Signed-off-by: Rajeev Kumar <quic_rajekuma@quicinc.com>
|
|
To process vdev start response fail event or wma vdev start timeout
event, host uses bssIdx of bss param as vdev ID, but host doesn't
update vdev ID in bssIdx of bss param while filling wma req for vdev
start req.
Hence update bssIdx of bss param with vdev id from start response or
wma req vdev ID.
Change-Id: I2132bbe6b7ced8c5631d10efad17666413b5a403
CRs-Fixed: 2860053
Bug: 178297222
Signed-off-by: Aditya Kodukula <quic_akodukul@quicinc.com>
|
|
SBMerger: 351186807
Change-Id: Id8d4f3c95f26ebe664c4266ff9e28a27b7a409d2
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
SBMerger: 351186807
Change-Id: I36c1245ab0d8f2004f15578e140630f28d87322c
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
Remove the check of hw mode ANY in ACS so
that 5ghz channels also get a chance to get
selected. Overide the channel only if the
mode is 11B/G.
Also dont overide the chanenl for 11A as it
can lead to STA+SAP DFS SCC.
Change-Id: Ib348095206b666793ffc145d8446e089fc96c453
CRs-Fixed: 2844587
Bug: 174373049
|
|
Remove the check of hw mode ANY in ACS so
that 5ghz channels also get a chance to get
selected. Overide the channel only if the
mode is 11B/G.
Also dont overide the chanenl for 11A as it
can lead to STA+SAP DFS SCC.
Change-Id: Ib348095206b666793ffc145d8446e089fc96c453
CRs-Fixed: 2844587
Bug: 174373049
|
|
Currently driver overides the channel list
and returns the best channel of the STA to
hotapd whenver ACS request is given.
But 5ghz band has several checks for DFS
master, SRD etc. which should be considered
for the SAP startup.
Fix is to not override for 5ghz and check for all
the params and then only proceed with the override.
Change-Id: I70a4614973ffd83beb2c2cb9a0204524c700b4fa
CRs-Fixed: 2834322
Bug: 174373049
Signed-off-by: Rajeev Kumar <quic_rajekuma@quicinc.com>
|
|
Currently driver overides the channel list
and returns the best channel of the STA to
hotapd whenver ACS request is given.
But 5ghz band has several checks for DFS
master, SRD etc. which should be considered
for the SAP startup.
Fix is to not override for 5ghz and check for all
the params and then only proceed with the override.
Change-Id: I70a4614973ffd83beb2c2cb9a0204524c700b4fa
CRs-Fixed: 2834322
Bug: 174373049
Signed-off-by: Rajeev Kumar <quic_rajekuma@quicinc.com>
|
|
Currently the driver checks for A for 5ghz and
B, G for 2.4ghz to override the channel in case of
ACS override to STA channel, but in case of hwmode
ANY also channels are possible to be overriden.
Fix is to put a check of HW MODE as ANY also along
with concurrent channel of STA.
Change-Id: I538a9b7dd2102dc3d6489ed719f9dae91d00dc82
CRs-Fixed: 2829498
Bug: 174373049
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
|
|
Currently the driver checks for A for 5ghz and
B, G for 2.4ghz to override the channel in case of
ACS override to STA channel, but in case of hwmode
ANY also channels are possible to be overriden.
Fix is to put a check of HW MODE as ANY also along
with concurrent channel of STA.
Change-Id: I538a9b7dd2102dc3d6489ed719f9dae91d00dc82
CRs-Fixed: 2829498
Bug: 174373049
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
|