From c193fd5cb051a566bd1a0e9fd565504cab46ff23 Mon Sep 17 00:00:00 2001
From: Subhani Shaik <subhanis@codeaurora.org>
Date: Mon, 14 Mar 2016 12:15:32 -0700
Subject: WifiHal: Address Debug framework bugs and misc issues

Fix multiple issues
1) Extract wmsg length from nlmsg_hdr with ntohs()
2) Do not free local frame_content in get()
3) Avoid illegal memory access in wifi_set_packet_filter fn
4) Updating new enums related to WIFI Configuration

BUG: 27502434
BUG: 27595799

Change-Id: I369a6b278f3e587f07d3a57be97b61eda658104d
---
 qcwcn/wifi_hal/vendor_definitions.h |  4 ++++
 qcwcn/wifi_hal/wifi_hal.cpp         | 23 ++++++++++++++---------
 qcwcn/wifi_hal/wifilogger.cpp       | 16 ++++++++++------
 qcwcn/wifi_hal/wifilogger_diag.cpp  | 15 +++++++++------
 4 files changed, 37 insertions(+), 21 deletions(-)

(limited to 'qcwcn')

diff --git a/qcwcn/wifi_hal/vendor_definitions.h b/qcwcn/wifi_hal/vendor_definitions.h
index eb08b29..dfadd35 100644
--- a/qcwcn/wifi_hal/vendor_definitions.h
+++ b/qcwcn/wifi_hal/vendor_definitions.h
@@ -941,6 +941,10 @@ enum qca_wlan_vendor_attr_wifi_config {
     QCA_WLAN_VENDOR_ATTR_WIFI_CONFIG_GUARD_TIME = 3,
     /* Unsigned 32-bit value */
     QCA_WLAN_VENDOR_ATTR_WIFI_CONFIG_FINE_TIME_MEASUREMENT = 4,
+    /* Unsigned 32-bit value */
+    QCA_WLAN_VENDOR_ATTR_WIFI_CONFIG_TX_RATE = 5,
+    /* Unsigned 32-bit value */
+    QCA_WLAN_VENDOR_ATTR_WIFI_CONFIG_PENALIZE_AFTER_NCONS_BEACON_MISS = 6,
     /* keep last */
     QCA_WLAN_VENDOR_ATTR_WIFI_CONFIG_AFTER_LAST,
     QCA_WLAN_VENDOR_ATTR_WIFI_CONFIG_MAX =
diff --git a/qcwcn/wifi_hal/wifi_hal.cpp b/qcwcn/wifi_hal/wifi_hal.cpp
index a407741..3727e0b 100644
--- a/qcwcn/wifi_hal/wifi_hal.cpp
+++ b/qcwcn/wifi_hal/wifi_hal.cpp
@@ -1269,15 +1269,15 @@ static wifi_error wifi_set_packet_filter(wifi_interface_handle iface,
         return WIFI_ERROR_INVALID_ARGS;
     }
 
-    ret = initialize_vendor_cmd(iface, get_requestid(),
-                                QCA_NL80211_VENDOR_SUBCMD_PACKET_FILTER,
-                                &vCommand);
-    if (ret != WIFI_SUCCESS) {
-        ALOGE("%s: Initialization failed", __FUNCTION__);
-        return (wifi_error)ret;
-    }
-
     do {
+        ret = initialize_vendor_cmd(iface, get_requestid(),
+                                    QCA_NL80211_VENDOR_SUBCMD_PACKET_FILTER,
+                                    &vCommand);
+        if (ret != WIFI_SUCCESS) {
+            ALOGE("%s: Initialization failed", __FUNCTION__);
+            return (wifi_error)ret;
+        }
+
         /* Add the vendor specific attributes for the NL command. */
         nlData = vCommand->attr_start(NL80211_ATTR_VENDOR_DATA);
         if (!nlData)
@@ -1317,11 +1317,16 @@ static wifi_error wifi_set_packet_filter(wifi_interface_handle iface,
             goto cleanup;
         }
 
+        /* destroy the object after sending each fragment to driver */
+        delete vCommand;
+        vCommand = NULL;
+
         current_offset += min(info->firmware_bus_max_size, len);
     } while (current_offset < len);
 
 cleanup:
-    delete vCommand;
+    if (vCommand)
+        delete vCommand;
     return (wifi_error)ret;
 }
 
diff --git a/qcwcn/wifi_hal/wifilogger.cpp b/qcwcn/wifi_hal/wifilogger.cpp
index 0ce2bab..506e0df 100644
--- a/qcwcn/wifi_hal/wifilogger.cpp
+++ b/qcwcn/wifi_hal/wifilogger.cpp
@@ -686,10 +686,12 @@ wifi_error wifi_get_tx_pkt_fates(wifi_interface_handle iface,
                 tx_report_bufs[i].frame_inf.frame_content.ieee_80211_mgmt_bytes,
                 tx_fate_stats[i].frame_inf.frame_content,
                 min(tx_fate_stats[i].frame_inf.frame_len,
-                    MAX_FRAME_LEN_ETHERNET));
+                    MAX_FRAME_LEN_80211_MGMT));
         else
-            ALOGE("Unknown format packet");
-        free (tx_fate_stats[i].frame_inf.frame_content);
+            /* Currently framework is interested only two types(
+             * FRAME_TYPE_ETHERNET_II and FRAME_TYPE_80211_MGMT) of packets, so
+             * ignore the all other types of packets received from driver */
+            ALOGI("Unknown format packet");
     }
 
     return WIFI_SUCCESS;
@@ -750,10 +752,12 @@ wifi_error wifi_get_rx_pkt_fates(wifi_interface_handle iface,
                 rx_report_bufs[i].frame_inf.frame_content.ieee_80211_mgmt_bytes,
                 rx_fate_stats[i].frame_inf.frame_content,
                 min(rx_fate_stats[i].frame_inf.frame_len,
-                    MAX_FRAME_LEN_ETHERNET));
+                    MAX_FRAME_LEN_80211_MGMT));
         else
-            ALOGE("Unknown format packet");
-        free (rx_fate_stats[i].frame_inf.frame_content);
+            /* Currently framework is interested only two types(
+             * FRAME_TYPE_ETHERNET_II and FRAME_TYPE_80211_MGMT) of packets, so
+             * ignore the all other types of packets received from driver */
+            ALOGI("Unknown format packet");
     }
 
     return WIFI_SUCCESS;
diff --git a/qcwcn/wifi_hal/wifilogger_diag.cpp b/qcwcn/wifi_hal/wifilogger_diag.cpp
index 9ecbf45..e3090e0 100644
--- a/qcwcn/wifi_hal/wifilogger_diag.cpp
+++ b/qcwcn/wifi_hal/wifilogger_diag.cpp
@@ -1831,7 +1831,7 @@ static wifi_error parse_tx_pkt_fate_stats(hal_info *info, u8 *buf, u16 size)
         memcpy(pkt_fate_stats->frame_inf.frame_content,
                buf + sizeof(pktdump_hdr), pkt_fate_stats->frame_inf.frame_len);
     } else {
-        ALOGE("Failed to allocate mem for Tx frame_content for packet: %d",
+        ALOGE("Failed to allocate mem for Tx frame_content for packet: %zu",
               info->pkt_fate_stats->n_tx_stats_collected);
         pkt_fate_stats->frame_inf.frame_len = 0;
     }
@@ -1873,7 +1873,7 @@ static wifi_error parse_rx_pkt_fate_stats(hal_info *info, u8 *buf, u16 size)
         memcpy(pkt_fate_stats->frame_inf.frame_content,
                buf + sizeof(pktdump_hdr), pkt_fate_stats->frame_inf.frame_len);
     } else {
-        ALOGE("Failed to allocate mem for Rx frame_content for packet: %d",
+        ALOGE("Failed to allocate mem for Rx frame_content for packet: %zu",
               info->pkt_fate_stats->n_rx_stats_collected);
         pkt_fate_stats->frame_inf.frame_len = 0;
     }
@@ -2051,8 +2051,9 @@ wifi_error diag_message_handler(hal_info *info, nl_msg *msg)
     /* Check nlmsg_type also to avoid processing unintended msgs */
     if (wnl->nlh.nlmsg_type == ANI_NL_MSG_PUMAC) {
         if ((wnl->nlh.nlmsg_len <= sizeof(tAniNlHdr)) ||
-            (wnl->nlh.nlmsg_len < (sizeof(tAniNlHdr) + wnl->wmsg.length))) {
-            ALOGE("Received message with insufficent length: %d", wnl->nlh.nlmsg_len);
+            (wnl->nlh.nlmsg_len < (sizeof(tAniNlHdr) + ntohs(wnl->wmsg.length)))) {
+            ALOGE("Received UMAC message with insufficent length: %d",
+                  wnl->nlh.nlmsg_len);
             return WIFI_ERROR_UNKNOWN;
         }
         if (wnl->wmsg.type == ANI_NL_MSG_LOG_HOST_EVENT_LOG_TYPE) {
@@ -2124,7 +2125,8 @@ wifi_error diag_message_handler(hal_info *info, nl_msg *msg)
     } else if (wnl->nlh.nlmsg_type == ANI_NL_MSG_LOG) {
         if ((wnl->nlh.nlmsg_len <= sizeof(tAniNlHdr)) ||
             (wnl->nlh.nlmsg_len < (sizeof(tAniNlHdr) + wnl->wmsg.length))) {
-            ALOGE("Received message with insufficent length: %d", wnl->nlh.nlmsg_len);
+            ALOGE("Received LOG message with insufficent length: %d",
+                  wnl->nlh.nlmsg_len);
             return WIFI_ERROR_UNKNOWN;
         }
         if (wnl->wmsg.type == ANI_NL_MSG_LOG_HOST_PRINT_TYPE) {
@@ -2142,7 +2144,8 @@ wifi_error diag_message_handler(hal_info *info, nl_msg *msg)
         if ((wnl->nlh.nlmsg_len <= NLMSG_HDRLEN + sizeof(fw_event_hdr_t)) ||
             (wnl->nlh.nlmsg_len < (NLMSG_HDRLEN + sizeof(fw_event_hdr_t) +
                                     event_hdr->length))) {
-            ALOGE("Received message with insufficent length: %d", wnl->nlh.nlmsg_len);
+            ALOGE("Received CNSS_DIAG message with insufficent length: %d",
+                  wnl->nlh.nlmsg_len);
             return WIFI_ERROR_UNKNOWN;
         }
         diag_fw_type = event_hdr->diag_type;
-- 
cgit v1.2.3