| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.213A
Change-Id: Ieb013022dc37ef4a90ab4135710018a9cad4eee4
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Check for the validity of peer_cnt when received the htt message of
HTT_T2H_MSG_TYPE_RATE_REPORT from firmware to ensure the buffer over-read
does not happen.
Change-Id: I16c811d20127fe921ef5d1b5a7750629ad38b26b
CRs-Fixed: 2159422
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.213
Change-Id: Ie5f70557ccf1cb9446c0b76e9bb2059da31ca3db
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
In function get_container_ies_len, nBuf is passed from caller function
as length of the buffer remaining in the frame. len is calculated from
the length field present in the IE. Then find_ie_defn is called with
nBuf + len as buffer length available leading to potential OOB read
in the function find_ie_defn.
Also in function get_container_ies_len, if len is greater than nBuf,
OOB read would occur in the caller function unpack_core.
In function unpack_core, len is calculated from the length field in
the IE buffer, then the IE is parsed in one of the unpack functions
where len is decremented without any check for min value of len.
If the value of len obtained from the IE buffer is less than the
minSize of the IE, then an integer underflow would occur.
1. In function get_container_ies_len, change calling of find_ie_defn
to use nbuf - len.
2. In function get_container_ies_len, if len > nbuf, return error.
3. In function unpack_core, add sanity check to make sure len is not
less thatn IE's minSize.
Change-Id: I8e42fb7e9674845d152d2ec26a592e02a1b562ab
CRs-Fixed: 2164014
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.212Z
Change-Id: I2ed8f9193b8c44296bafa5cc38f313ac122414db
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Check for the validity of tx_desc_id when received the htt message of
HTT_T2H_MSG_TYPE_MGMT_TX_COMPL_IND from firmware to ensure the buffer
overwrite does not happen.
Change-Id: I0afc781b7fff303525352b817e7eb60b8b05e4d3
CRs-Fixed: 2157917
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.212Y
Change-Id: Ic707a141be0d6d3d51a76afa54a1569b001d300e
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
For the feature "STA follow AP to change its country code", need to
set all related code in the control of ini.
Change-Id: I2a1b059e01ca24ee7bb9470f10fefbadc52e7381
CRs-Fixed: 2161673
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.212X
Change-Id: I30ce5144dbb6823a75c44ae426c75ddeb37ba7ef
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
The Txop limit of AC_BE for ETSI is 6ms. COT fix require
ETSI AC_BE Txop limit minus 500us. Set gStaLocalEDCAForETSI=1
in WCNSS_qcom_cfg.ini to enable COT fix in both AP and
sta.
Change-Id: I8d142078f5ffba6d0fa5f6a4083e89699fcf1f66
CRs-Fixed: 2161931
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.212W
Change-Id: Ib66086f23c2fabdeab2c9f03f43b7576b34c6924
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
In function wma_extscan_hotlist_match_event_handler, numap and src_hotlist
are received from the FW. src_hotlist is pointer to the hostist data
and is looped for numap times and copied to the local buffer dest_hotlist.
If the value of numap is not equal to the number of src_hotlist data
present in the buffer, buffer overread would occur during memcpy.
Add check to validate the len of the buffer received from the FW is not
less than the size of fixparam struct + (numap * src_hostlist structure)
Change-Id: I2dc596f91bc49ccf0327062aa6732cd072d52085
CRs-Fixed: 2148646
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.212V
Change-Id: I6400f059d1834b4f5b7a1d007cffa51ef20ea0dd
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Define WMI_PDEV_SET_RX_FILTER_PROMISCUOUS_CMDID
Change-Id: I8aa668b0825b963e11f0c2fb4f89250ec4f37a02
CRs-fixed: 865207
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Define WMI_PEER_TID_MSDUQ_QDEPTH_THRESH_UPDATE_CMDID
Change-Id: Iada3a99ef59efbfef1c289302ac7769023007b0b
CRs-fixed: 865207
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Create WMI_NDL_SCHEDULE_UPDATE_EVENT and add ndp_channel_list
in NDP confirm event.
Change-Id: I37f9d487d9452e3af771f93207a7599b69ebcf32
CRs-fixed: 865207
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Typedefine wmi_scan_start_offset
Change-Id: Id5d5c47214ffaa4e86eea415b8f43a870e549233
CRs-fixed: 865207
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.212U
Change-Id: Iaebbeeb9ef37738c5a978d6130dd37550dba7cf4
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Firmware dump IRAM_SIZE for HIF_USB is not equal to default value.
Set IRAM_SIZE for HIF_USB.
Change-Id: Ic248506458b5b86924a69f2f411d1d2c61c53507
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.212T
Change-Id: Ib5bb38ebef0604b385f98e438a8b97fb6e8580cd
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Change log level to error for few driver prints.
Change-Id: I8be2d88453edcdc45f3c7bdf2041c68230a3f0e5
CRs-Fixed: 2161014
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.212S
Change-Id: Ia66f137f5350eb4148124fd64aa3424330b65890
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Remain on channel context should be removed as p2p if wlan is
shutdown when roc is in progress, or else there will be status
inconsistency of roc and p2p will be hang up when system is
started again during ssr test.
Change-Id: Iae235cf27a7fe7949abd1b57e397bbe8e750976f
CRs-Fixed: 2146132
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.212R
Change-Id: Ib3a6b2aacf2f3787d04701431f11905fb8689a54
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
curr_con_mode is not initialized once epping is enabled
and MODULE is not defined.
Set curr_con_mode in the beginning.
Change-Id: Id25b136fd15912d46ea0682cad3745c51d902bc3
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.212Q
Change-Id: If446ba9a68aa14d8a35726bbda9efd110866dcc6
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Fragment count will be larger than the upper limit of
cvg_nbuf_cb->extra_flag.num which would lead to an overread
of fragment length. Upper limit check for fragment count
is added in this change.
Change-Id: Icc078b2efee554ac84377b5edd90d0a5c7a61f98
CRs-Fixed: 2129566
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.212P
Change-Id: I98528965cc719e7385c85d3c2d5e2b051d3220ca
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
A timestamp and measurement duration is added for MAC counters.
User layer APP can detect lantency for last report and its accuracy.
Change-Id: I99aa4f0f2ea92e8a7eb25c79419c480a3f4d7424
CRs-Fixed: 2139854
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.212O
Change-Id: I2566c46ab13b8ca31163a920e5f6997b0bb9772c
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
In function wma_vdev_start_rsp_ind, vdev_id is received from the FW
and is used to access wma_handle->interfaces without validating the
upper limit. If the value of vdev_id received from the FW is not
less than max_bssid, then a buffer overwrite will occur in the
function wma_vdev_start_rsp_ind.
Add sanity check to make sure vdev_id is less than max_bssid.
Change-Id: I83e1b797ca50a7fb58519f66dde26b035a2393ce
CRs-Fixed: 2150359
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.212N
Change-Id: Id68fc5301b64610d88e165a931bc07f5de380c57
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Use do_div() for 64 bit division, because '/' can't be used for 64
bit division on arm32 platform.
In arm32 platform the pointer value is 32bit, so change the directly
assignment operation to memcpy.
Change-Id: I19a1db8adbc1fe7acaee0ec824f670b67284f628
CRs-Fixed: 2155143
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
IEEE802.11P DSRC OCB RAW mode need support Data traffic through
IPv4/IPv6 network stack. TX skb packet is started with 802.3 header,
It is required to convert header structure to IEEE802.11 data
header and EPD header. EPD header is two bytes in length, which
indictates to ether type. Vice versa for RX data packets.
Change-Id: Id07d2ac94f49a92ca5bd852ea422c627e7ae96da
CRs-Fixed: 2143802
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
qcacld-3.0 to qcacld-2.0 propagation
Add max check for probe request length against max length of probe
request buffer to avoid buffer overflow.
Change-Id: Ie0fad7443b2c749c66bb9ad662625a16d3a840c3
CRs-Fixed: 2155808
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
compile error is "this 'if' clause does not guard". Statement not
relate with 'if' clause should have the same indent with 'if'.
Change-Id: I907836e62b801bcd334705e42aff9c6f73c687a7
CRs-Fixed: 2157542
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.212M
Change-Id: I0be95004504264f449829129e0c18a5bfa12fa65
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
When AP change its country code, STA will update its country
code. And also, due the firmware process, host side need to send
WMI_SCAN_CHAN_LIST_CMDID before WMI_PDEV_SET_REGDOMAIN_CMDID, so
that tx-power setting for operation channel can be applied.
Change-Id: Ib0ea550c415a09ad579f521baab5f6cefafaa101
CRs-Fixed: 2157557
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.212L
Change-Id: I877065353f87cc26a16eb8881723294bef4e9133
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This feature can enable one AC tx queue optimize,
which make sure the most-recently enqueued AC packet
is transmitted and other packets in the queue is
discarded. To enable the feature, set
gEnableAcTxqOptimize in
WCNSS_qcom_cfg.ini.
Change-Id: I47d503f87dff238a088790c4dc22536b9d2136c4
CRs-Fixed: 2142709
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.212K
Change-Id: Id5f0539742e6e17e993a0dab5a9ec90ae7e7284f
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Add peer flush pending data feature. With this feature,
user layer APP can discard any data(per access class)
currently pending transmission.
Change-Id: I4021ab73eaa793d44f945c9bc081235575337e9b
CRs-Fixed: 2143652
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Add a feature to enable using hostapd EDCA local params
for local setting. The driver used to use default EDCA
local params from wni_cfg.h. This feature let SAP can
use EDCA params from hostapd.conf for local.
To enable the feature, set
gEnableHostapdEdcaLocal=1 in WCNSS_qcom_cfg.ini.
Change-Id: I0cd1ea510d238efc05caef1fbe0834a6b365ca81
CRs-Fixed: 2143662
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Add wmi_stats_period.
Change-Id: Ie20c537de8e00e247589f6048fd2b60fd2d7314b
CRs-fixed: 865207
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.212J
Change-Id: Ic335716b751a248435f25859bfa8325469ede2b0
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Check for the validity of tid when received the htt message of
HTT_T2H_MSG_TYPE_RX_FLUSH & HTT_T2H_MSG_TYPE_RX_PN_IND from firmware
to ensure the buffer overflow does not happen.
And correct the sequence number type from signed int to unsigned.
Change-Id: Ibff86e891c335bfe8c2f9db82410545036463ed3
CRs-Fixed: 2149399
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.212I
Change-Id: I165314d41755ed8a34f95a0046ebdb7eaf212cd4
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Check for the validity of credits when received the htt message of
HTT_T2H_MSG_TYPE_TX_CREDIT_UPDATE_IND or HTT_T2H_MSG_TYPE_TX_COMPL_IND
from firmware to ensure the integer overflow does not happen if these
messages invoked many times.
Change-Id: I01386b88f1b677153f3e51e055b7fbac073cd6b3
CRs-Fixed: 2147127
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Check for the validity of peer_id when received the htt message of
HTT_T2H_MSG_TYPE_PEER_MAP or HTT_T2H_MSG_TYPE_PEER_UNMAP from firmware
to ensure the buffer overflow does not happen.
Change-Id: Ib3f92f4de0b406a78bf34d348c07cb3981277513
CRs-Fixed: 2147119
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
For HTT_T2H_MSG_TYPE_RX_OFFLOAD_DELIVER_IND, the msdu_cnt is a signed
integer coming from firmware. If set the msdu_cnt to a negative value,
or be greater than the number of current elements in the queue, the loop
will execute lots of times in ol_rx_offload_deliver_ind_handler, the
htt_rx_netbuf_pop will cause the BUG_ON issue sooner or later if it is
low latency solution.
Change the msdu_cnt type from signed to unsigned and add the validity
msdu_cnt checking will fix this issue.
Change-Id: I436557a124074f59ab11fd937dfdc975b9caebe8
CRs-Fixed: 2149461
|
