wlan: Limit the Deauth Frames sent by AP to STA

Currently when Scan is ongoing and Deauth is sent by AP to STA,
LIM post the DEAUTH IND message to CSR.Because of scan, FW keeps
on sending the NULL frame and AP sends the DEAUTH frame in
response to this NULL frame.This results in flood of DEAUTH frame
and PE message queue always have this DEAUTH frames because of which
CSR is not able to get chance to process the DEAUTH indication.

As a part of fix deauth frames RX are limited  and for PMF
unproctected frames only frames with time difference of 1 sec
are passed to Lim.

Change-Id: I8843f0806938be6194361b4c569845e4a735a76e
CRs-Fixed: 864583

6 files changed, 83 insertions, 36 deletions

diff --git a/CORE/MAC/src/include/dphGlobal.h b/CORE/MAC/src/include/dphGlobal.h
index cb220db8e5d8..dd4ebff97535 100644
--- a/CORE/MAC/src/include/dphGlobal.h
+++ b/CORE/MAC/src/include/dphGlobal.h
@@ -481,6 +481,8 @@ typedef struct sDphHashNode
     tANI_U16 pmfSaQueryCurrentTransId;
     tANI_U16 pmfSaQueryStartTransId;
     TX_TIMER pmfSaQueryTimer;
+    v_TIME_t last_unprot_deauth_disassoc;
+    tANI_U8 proct_deauh_disassoc_cnt;
 #endif
 
     tANI_U8 htLdpcCapable;
diff --git a/CORE/MAC/src/pe/include/limApi.h b/CORE/MAC/src/pe/include/limApi.h
index 8e6d8f51e51e..7aa37bdb26d6 100644
--- a/CORE/MAC/src/pe/include/limApi.h
+++ b/CORE/MAC/src/pe/include/limApi.h
@@ -175,6 +175,7 @@ void limPsOffloadHandleMissedBeaconInd(tpAniSirGlobal pMac, tpSirMsgQ pMsg);
 void
 limSendHeartBeatTimeoutInd(tpAniSirGlobal pMac, tpPESession psessionEntry);
 tMgmtFrmDropReason limIsPktCandidateForDrop(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo, tANI_U32 subType);
+bool lim_is_deauth_diassoc_for_drop(tpAniSirGlobal mac, uint8_t *rx_pkt_info);
 void limMicFailureInd(tpAniSirGlobal pMac, tpSirMsgQ pMsg);
 #ifdef WLAN_FEATURE_ROAM_OFFLOAD
 void limRoamOffloadSynchInd(tpAniSirGlobal pMac, tpSirMsgQ pMsg);
diff --git a/CORE/MAC/src/pe/lim/limApi.c b/CORE/MAC/src/pe/lim/limApi.c
index 4fe1bfaedbdc..b2e07fe6ee45 100644
--- a/CORE/MAC/src/pe/lim/limApi.c
+++ b/CORE/MAC/src/pe/lim/limApi.c
@@ -806,6 +806,80 @@ limCleanup(tpAniSirGlobal pMac)
 } /*** end limCleanup() ***/
 
 
+/**
+ * lim_is_deauth_diassoc_for_drop()- function to decides to drop deauth\diassoc
+ *  frames.
+ * @mac: pointer to global mac structure
+ * @rx_pkt_info: rx packet meta information
+ *
+ * This function is called before enqueuing the frame to PE queue to
+ * drop flooded deauth/diassoc frames getting into PE Queue.
+ *
+ * Return: true for dropping the frame otherwise false
+ */
+
+bool lim_is_deauth_diassoc_for_drop(tpAniSirGlobal mac, uint8_t *rx_pkt_info)
+{
+	uint8_t session_id;
+	uint16_t aid;
+	tpPESession session_entry;
+	tpSirMacMgmtHdr mac_hdr;
+	tpDphHashNode   sta_ds;
+
+	mac_hdr = WDA_GET_RX_MAC_HEADER(rx_pkt_info);
+	session_entry = peFindSessionByBssid(mac, mac_hdr->bssId, &session_id);
+	if (!session_entry) {
+		PELOG1(limLog(mac, LOG1,
+			FL("session does not exist for given STA [%pM]"),
+			mac_hdr->sa););
+		return true;
+	}
+
+	sta_ds = dphLookupHashEntry(mac, mac_hdr->sa, &aid,
+					&session_entry->dph.dphHashTable);
+	if (!sta_ds) {
+		PELOG1(limLog(mac, LOG1,FL("pStaDs is NULL")););
+		return true;
+	}
+
+#ifdef WLAN_FEATURE_11W
+	if (session_entry->limRmfEnabled) {
+		if ((WDA_GET_RX_DPU_FEEDBACK(rx_pkt_info) &
+			DPU_FEEDBACK_UNPROTECTED_ERROR)) {
+			/* It may be possible that deauth/diassoc frames from a
+			 * spoofy AP is received. So if all further
+			 * deauth/diassoc frmaes are dropped, then it may
+			 * result in lossing deauth/diassoc frames from genuine
+			 * AP. So process all deauth/diassoc frames with
+			 * a time difference of 1 sec.
+			 */
+			if ((vos_timer_get_system_time() -
+				 sta_ds->last_unprot_deauth_disassoc) < 1000)
+				return true;
+
+			sta_ds->last_unprot_deauth_disassoc =
+					vos_timer_get_system_time();
+		} else {
+			/* PMF enabed, Management frames are protected */
+			if (sta_ds->proct_deauh_disassoc_cnt)
+				return true;
+			else
+				sta_ds->proct_deauh_disassoc_cnt++;
+		}
+	}
+	else
+#endif
+	/* PMF disabled */
+	{
+		if (sta_ds->isDisassocDeauthInProgress)
+			return true;
+		else
+			sta_ds->isDisassocDeauthInProgress++;
+	}
+
+	return false;
+}
+
 /** -------------------------------------------------------------
 \fn peOpen
 \brief will be called in Open sequence from macOpen
diff --git a/CORE/MAC/src/pe/lim/limProcessDeauthFrame.c b/CORE/MAC/src/pe/lim/limProcessDeauthFrame.c
index a1c72ec5d8ee..74d5d98e4fed 100644
--- a/CORE/MAC/src/pe/lim/limProcessDeauthFrame.c
+++ b/CORE/MAC/src/pe/lim/limProcessDeauthFrame.c
@@ -479,8 +479,7 @@ limProcessDeauthFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo, tpPESession p
     }
 
     if ((pStaDs->mlmStaContext.mlmState == eLIM_MLM_WT_DEL_STA_RSP_STATE) ||
-        (pStaDs->mlmStaContext.mlmState == eLIM_MLM_WT_DEL_BSS_RSP_STATE) ||
-        (pStaDs->isDisassocDeauthInProgress)) {
+        (pStaDs->mlmStaContext.mlmState == eLIM_MLM_WT_DEL_BSS_RSP_STATE)) {
         /**
          * Already in the process of deleting context for the peer
          * and received Deauthentication frame. Log and Ignore.
@@ -492,7 +491,6 @@ limProcessDeauthFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo, tpPESession p
            pStaDs->isDisassocDeauthInProgress);)
         return;
     }
-    pStaDs->isDisassocDeauthInProgress++;
     pStaDs->mlmStaContext.disassocReason = (tSirMacReasonCodes)reasonCode;
     pStaDs->mlmStaContext.cleanupTrigger = eLIM_PEER_ENTITY_DEAUTH;
 
diff --git a/CORE/MAC/src/pe/lim/limProcessDisassocFrame.c b/CORE/MAC/src/pe/lim/limProcessDisassocFrame.c
index 2a1f6495cf38..a6ecea91965a 100644
--- a/CORE/MAC/src/pe/lim/limProcessDisassocFrame.c
+++ b/CORE/MAC/src/pe/lim/limProcessDisassocFrame.c
@@ -286,8 +286,7 @@ limProcessDisassocFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo, tpPESession
     }
 
     if ((pStaDs->mlmStaContext.mlmState == eLIM_MLM_WT_DEL_STA_RSP_STATE) ||
-        (pStaDs->mlmStaContext.mlmState == eLIM_MLM_WT_DEL_BSS_RSP_STATE) ||
-        (pStaDs->isDisassocDeauthInProgress)) {
+        (pStaDs->mlmStaContext.mlmState == eLIM_MLM_WT_DEL_BSS_RSP_STATE)) {
         /**
          * Already in the process of deleting context for the peer
          * and received Disassociation frame. Log and Ignore.
@@ -317,7 +316,6 @@ limProcessDisassocFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo, tpPESession
 
     } // if (pStaDs->mlmStaContext.mlmState != eLIM_MLM_LINK_ESTABLISHED_STATE)
 
-    pStaDs->isDisassocDeauthInProgress++;
     pStaDs->mlmStaContext.cleanupTrigger = eLIM_PEER_ENTITY_DISASSOC;
     pStaDs->mlmStaContext.disassocReason = (tSirMacReasonCodes) reasonCode;
 
diff --git a/CORE/SYS/legacy/src/system/src/sysEntryFunc.c b/CORE/SYS/legacy/src/system/src/sysEntryFunc.c
index 234197e97d00..c4a4286c150b 100644
--- a/CORE/SYS/legacy/src/system/src/sysEntryFunc.c
+++ b/CORE/SYS/legacy/src/system/src/sysEntryFunc.c
@@ -114,7 +114,6 @@ tSirRetStatus
 sysBbtProcessMessageCore(tpAniSirGlobal pMac, tpSirMsgQ pMsg, tANI_U32 type,
                          tANI_U32 subType)
 {
-    static tANI_U32 lastDeauthPacketTime = 0, lastDisassocPacketTime = 0;
     tANI_U32 framecount;
     tSirRetStatus ret;
     void*         pBd;
@@ -169,33 +168,10 @@ sysBbtProcessMessageCore(tpAniSirGlobal pMac, tpSirMsgQ pMsg, tANI_U32 type,
                 goto fail;
             }
 
-            if (((subType == SIR_MAC_MGMT_DEAUTH) ||
-                     (subType == SIR_MAC_MGMT_DISASSOC)) &&
-                 (framecount >= MAX_DEAUTH_ALLOWED))
-            {
-                tANI_U32 timeNow = adf_os_ticks(), timeGap;
-                if (subType == SIR_MAC_MGMT_DEAUTH)
-                    timeGap = adf_os_ticks_to_msecs(timeNow -
-                                              lastDeauthPacketTime);
-                else
-                    timeGap = adf_os_ticks_to_msecs(timeNow -
-                                              lastDisassocPacketTime);
-                if (timeGap < 1000) {
-#ifdef WLAN_FEATURE_11W
-                    pMacHdr = WDA_GET_RX_MAC_HEADER(pBd);
-                    psessionEntry = peFindSessionByPeerSta(pMac,
-                                        pMacHdr->sa, &sessionId);
-                    if(!psessionEntry) {
-                        PELOGE(sysLog(pMac, LOGE,
-                            FL("session does not exist for given STA [%pM]"),
-                            pMacHdr->sa););
-                        goto fail;
-                    }
-                    if (!psessionEntry->limRmfEnabled)
-#endif /* WLAN_FEATURE_11W */
-                        goto fail;
-                }
-            }
+            if ((subType == SIR_MAC_MGMT_DEAUTH ||
+                 subType == SIR_MAC_MGMT_DISASSOC)&&
+                lim_is_deauth_diassoc_for_drop(pMac, pBd))
+                goto fail;
 
             if (subType == SIR_MAC_MGMT_DEAUTH)
             {
@@ -210,7 +186,6 @@ sysBbtProcessMessageCore(tpAniSirGlobal pMac, tpSirMsgQ pMsg, tANI_U32 type,
                        MAC_ADDR_ARRAY(pMacHdr->sa),
                        MAC_ADDR_ARRAY(pMacHdr->bssId),
                        pMac->sys.gSysFrameCount[type][subType] ););
-                lastDeauthPacketTime = adf_os_ticks();
             }
             if (subType == SIR_MAC_MGMT_DISASSOC)
             {
@@ -225,7 +200,6 @@ sysBbtProcessMessageCore(tpAniSirGlobal pMac, tpSirMsgQ pMsg, tANI_U32 type,
                        MAC_ADDR_ARRAY(pMacHdr->sa),
                        MAC_ADDR_ARRAY(pMacHdr->bssId),
                        pMac->sys.gSysFrameCount[type][subType] ););
-                lastDisassocPacketTime = adf_os_ticks();
             }
 
             if( (dropReason = limIsPktCandidateForDrop(pMac, pBd, subType)) != eMGMT_DROP_NO_DROP)