| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Add channel and bandwidth validation check for
setMonChan iwpriv command.
Change-Id: I1be22799a46e3ec30cfe384563ecb8a5404d9f6a
CRs-Fixed: 2139911
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.211C
Change-Id: I0259f6a73812692209f490c7e2fce3c2a46d28c6
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Fix build error due to miss the "}".
Change-Id: Id8eb8fe92e2faf36d40b97d863698bb15510e790
CRs-Fixed: 2141540
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.211B
Change-Id: I55f9f5ec678b6cc13dea8fb60a22b2a2ed7f0a65
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
After checking NULL pointer compl_state, host would trigger SSR, and
should break out gently to avoid de-reference NULL pointer again.
Change-Id: I5aefe3e2d02a6690d96fbfed895196c28e3ad23f
CRs-Fixed: 2140768
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
As 802.11p-2010 spec required, add 11p channels of 5MHz bandwidth.
Refer to Table J.1 & J.2 in 802.11p-2010 spec for details.
Change-Id: I3291586d60d8944030502e18cb8ff933a9795438
CRs-Fixed: 2101407
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
IEEE 1609.4-2016 5.3.4 mandates that IP datagrams can transmit
only through 11p Service Channel (SCH) and can't goes through
Control Channel (CCH).
If SCH not exists, then drop the IP datagram.
Change-Id: Ib38c10f55918d67ef3184cec0aa9b829721bd132
CRs-Fixed: 2133889
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Check for buffer overflow in wma_log_supported_evt_handler.
Change-Id: Ib4850ce1a7abb77025a0dc8a3cc9776f6550eb9e
CRs-Fixed: 2125948
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
update MUBeamformee capability from FW
Change-Id: I871b8e786665abbdad54ba661e0eb7eb8a0f6412
CRs-Fixed: 2129426
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.211A
Change-Id: Ib3a5c49651ef80d4ddd3e0f23bf1eef26fea0ad2
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
UINT32_MAX macro is used in comparing no. of channels
list coming from firmware and checking that to
avoid integer overflow.
Change-Id: If9c79b01fd731bfeb3c525ccee8c27425f488955
CRs-Fixed: 2140053
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Add device id of Naples PCIe board to the device id table.
CRs-Fixed: 2139356
Change-Id: I492744665399261a7cd804f485b8ffd4a4cd8715
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.211
Change-Id: I69919c2e84aa8c111a7b874b3cb288b6aa94516d
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Hit one crash in p2p provision, once remain on channel timeout, it
may indicate false p2p action confirmation if pending action frame,
however, it still try to send p2p action confirmation depending on
tx ack status in datapath.
The fix is to remove redundant mgmt frame session id assignment after
queuing p2p action frame in datapath.
CRs-Fixed: 2111318
Change-Id: Idb1775f5d2b2b4e3825d78dd870c8f7d287f492d
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.210Z
Change-Id: Ifcc085bfd65899796d517b6b04c060df6d854958
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Check the length of the IE's before appending them
and storing them in the session in
lim_process_update_add_ies.
Change-Id: I70d26638a58998c82a8810d7c2181d1f24c56e19
CRs-Fixed: 2116592
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.210Y
Change-Id: I499bb5e3182bc96613b8c9a83e36292d47c61184
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
There is a memory leak if fail to process the rx packet header in the HIF
layer. Add sanity checking to free all resources if failure hit.
Change-Id: Ifa443dcec0a31ae39356ac1ddf7cfe652d8968ce
CRs-Fixed: 2137727
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.210X
Change-Id: Ie3e17d7a9ff966a85598111bebea5def3fbde55e
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
qcacld3.0 to qcacld-2.0 propagation.
In function get_container_ies_len, output parameter pnConsumed is
uint8_t and poses a risk of integer overflow. Check value against 255
before assigning to output parameter.
Change-Id: I6e02037952ced13de45a6c030cc5a1e85070f5cd
CRs-Fixed: 2116546
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.210W
Change-Id: Idf6d8296f1b86624bb6e25360516809290415463
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Adding support for collecting FW coredump for PCIe based devices.
Change-Id: I5ad78fcc3f8cda7da22adac482e1fa049b649649
CRs-Fixed: 2127387
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.210V
Change-Id: I09772b101b37894be33656dc81215bf940a0d123
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
In function wma_unified_debug_print_event_handler, datalen is
received from the FW and is used to mem copy data buffer from
FW into the local array dbgbuf. Since dbgbuf is a local array
of size 500 bytes, if datalen is greater than 500, buffer
overwrite occurs during memcpy.
Add sanity check to limit datalen to 500 bytes if value received
is greater than 500 bytes.
Change-Id: Id63b5106bc7a3d3836d17ae47d019bc8a71c928e
CRs-Fixed: 2114208
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.210U
Change-Id: Ib983755845ab35c5c4cbe2bcf48c4bf82fd6ed4d
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Currently in wma_unified_link_peer_stats_event_handler, the check to
validate if peer_stats->num_rates is less than WMA_SVC_MSG_MAX_SIZE is
done only for the first member of the peer_stats array. This can lead
to integer overflow as num_rates is calculated as sum of
peer_stats->num_rates for each of the peer_stats in the array.
Add code changes to loop and calculate total_num_rates for all the
peer_stats and then validate total_num_rates with WMA_SVC_MSG_MAX_SIZE.
Change-Id: Ic934934a990bd55fce70a0eaffa2812bc34b0ddd
CRs-Fixed: 2116684
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Check for buffer overflow from diag messages.
Change-Id: I9618a7b581739602efeacefe1844fd4243b55d53
CRs-Fixed: 2125961
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
In function "wma_extscan_start_stop_event_handler",
variable "event" is coming from the FW, whose content
is copied to variable "buf".Variable "vdev_id" equals
to "event->vdev_id". "vdev_id" is a uint8_t value,
with no limit check, so a buffer overwrite is possible.
Add sanity check for vdev-id to avoid buffer overwrite
Change-Id: I4af62b6061d2524a2fc67cf0ddb49d3d310db916
CRs-Fixed: 2115207
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.210T
Change-Id: Ia69f362fb3fd358ac3057075b8989e0965cb5f50
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Currently, value of fix_param->num_chans is received from FW
If the value of variable fix_param->num_chans is very large,
then the derived length of data in the event can be
overflowed.
Add sanity check for fix_param->num_chans to avoid overflow
Change-Id: Iac59550b9ecdd6833d0ad262b51e56b6532941c5
CRs-Fixed: 2114396
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Currently, value of param_buf->num_tbttoffset_list is received
from FW is used to allocate the memory for local buffer to store
tbtt offset list If the value of param_buf->num_tbttoffset_list
is very large then during memory allocation input argument can be
overflowed.As a result of this integer overflow, a heap overwrite
can occur during memory copy.
Add sanity check to make sure param_buf->num_tbttoffset_list is
not exceed the maximum limit.
Change-Id: I23528830ddb0f43c777e6124919cc35fe9a523d5
CRs-Fixed: 2114336
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.210S
Change-Id: I7c18cefd84716a90335f53b2192aedc15c820e3b
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Currently wake_info->vdev_id, recevied from the FW, is directly used
to refer to wma->interfaces without validating if the vdev_id is valid.
Add sanity check to make sure vdev_id is less than max_bssid before
using it.
Change-Id: I66be7d15f370d0204e25c3d0ea60c0c9f5912005
CRs-Fixed: 2114363
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.210R
Change-Id: If38be7f32f9bf1fb44d20fe9e0c1bb3ac2d17fa1
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Currently, sta_add_event->data_len received from FW is used to copy
data from buf_ptr to add_sta_req, which is allocated only for fixed
size of sap_offload_add_sta_req structure. If data_len received from
FW is greater than size of sap_offload_add_sta_req structure,
buffer overwrite will occur.
Add sanity check to make sure sta_add_event->data_len is not greater
than MAX_CONNECT_REQ_LENGTH.
Change-Id: Ie9e414c9f39bd01ecdca70fbb7d5438ac2e09fa1
CRs-Fixed: 2115221
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Add checks to extscan and ocb FW message handlers.
Change-Id: I1ff5b1f8722545de4cc4f10d23ff9b914ae3428c
CRs-Fixed: 2125950
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Currently, event->num_chains_valid received from FW is used to
check upper bound of chain rssi array which is allocated only
for fixed size of chain_rssi_result structure. If event->num_chains_valid
received from FW is greater than size of chain_rssi_result structure,
buffer overwrite will occur.
Add sanity check to make sure event->num_chains_valid is not greater
than CHAIN_MAX_NUM.
Change-Id: I25296cb122b40bd03fab663ce48104ccab6827a3
CRs-Fixed: 2113385
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
When SME Open ssesion is failed due to timed out, the opened session
is not closed causing the max interfaces limit to reach and crashing
the driver.
Call sme_CloseSession in case of failure due to timeout.
Change-Id: I9ccb02b10b15aae9a30b27c9d94d1ca03ad104f9
CRs-Fixed: 2122442
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.210Q
Change-Id: I5b93d767e6b972ac0fb0cf48979f9208b3db3a4a
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Check vdev_id against wma->max_bssid in wma_mcc_vdev_tx_pause_evt_handler
to avoid bufer overflow.
Change-Id: Ie47a0ed2f7f27f13a01e1b2cb365fae66b41b1df
CRs-Fixed: 2119404
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Currently the size of array ch_list in sme_set_plm_request is
defined as WNI_CFG_VALID_CHANNEL_LIST and this is incorrect.
This is just an index to the corresponding CFG item. Fix the
size to WNI_CFG_VALID_CHANNEL_LIST_LEN which is the maximum
size that can be passed from the source buffer.
Change-Id: I90086f2c73ee09cfc9d63a327b464f4017f5b37f
CRs-Fixed: 2119733
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
After deriving the vdev_id from the vdev map in
wma_beacon_swba_handler check for the validity
of the vdev_id
Change-Id: Ifc4577d8a00f447e2bcfa4e01fce5ac2dbe96a4d
CRs-Fixed: 2115134
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
There is a memory leak for RX path of SDIO WLAN if skb allocation
fails. Add condition check and free all resources for scenario.
Change-Id: Ic4a58d3d4e93f1d6d57bfb045dfdeb131b24f72a
CRs-Fixed: 2128051
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.210P
Change-Id: I5c7a84f3f7c82c311a2a17286a859c2ec8ae9e3d
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Currently the mpdu_data_len in Rx pkt meta is not checked for
upper bound in wma_form_rx_packet.
Add sanity check to drop the packet if mpdu_data_len is
greater than 2000 bytes. Also add upper bound check for
frame_len in lim_process_auth_frame function.
Change-Id: I387615127ab98ef43baa6f2570b0433af39a016e
CRs-Fixed: 2133040
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.210O
Change-Id: Ib7e088a25d5fe3cb550e29fee5d85cc54cf02fdc
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
FW memory dump feature is no longer used. Hence remove FW memory
dump feature code changes.
Change-Id: Ida655f83630c369df746e7c0c9d61a8fee2932a2
CRs-Fixed: 2120605
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
propagation from qcacld-3.0 to qcacld-2.0
SME module propagates KeyRSC to MAC/PE module but MAC/PE doesn't
pass this counter to WMA and due to which WMA is not able pass to
next module.
Add a fix to propagate KeyRSC field from MAC to WMA module and further
down in stack.
Change-Id: I157a44610e184b5e10d838fbc5d6b810e3efd6db
CRs-Fixed: 2133114
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
propagation from qcacld-3.0 to qcacld-2.0
Currently the key sequence counter received from userspace is not
propagated to SME, so add logic to propagate it.
Change-Id: I5371700003744eb967c578c44e4d130628efcdc8
CRs-Fixed: 2133033
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Check for the maximum number of P2P NOA descriptors in
wma_send_bcn_buf_ll.
Change-Id: If7e5b3c53309412dc7d3cd748c2f5581898fbbfe
CRs-Fixed: 2135600
|
