| Commit message (Collapse) | Author |
|---|
|
The tx_stats array length num_entries can't be more than
param_buf->num_tx_stats from fw.
Otherwies out-of-bounds will happen when read wmi_tx_stats.
Change-Id: I7ab3c7cc7baef6d903ba6301622bd67efe52cebe
CRs-Fixed: 3104318
|
|
Avoid OOB read in dot11f_unpack_assoc_response API. Modify
the check to nBuf-len > 1 to read another byte of pBufRemaining.
This ensures a read of at least 2 bytes since all IEs have
at least 2 bytes.
Change-Id: Ic6756c11c05e68f0af5227971ce8b16a6c7e012a
CRs-Fixed: 3104235
|
|
Some IoT AP may have duplicate rates in supported rates and
extended rates in beacon, need filter them when populate peer 11a/11b
rates during connect/roaming, or array out of bound issue will happen.
Change-Id: I685e8c07ee147296bfa22742dad4210e7fa02c4a
CRs-Fixed: 3048142
|
|
It is possible tx_time_per_power_level is not freed
in last event, and it is reused in
__wma_unified_radio_tx_power_level_stats_event_handler,
the buffer size may be different for each event by
manually test.
Fix is to check if memory is freed before malloc, if
not null, free it before malloc.
Change-Id: I51064734cf97b9ff0ecbbaf27f38d5a223c91d3b
CRs-Fixed: 3057436
|
|
Currently, NDP app info length is not being validated with max NDP
app info length. This may result in buffer oveflow wile accessing
NDP app info received from the firmware.
To address this, validate NDP app info length before accessing NDP
app info
Change-Id: Ifddf1afca7ecf2585e8eb450864d9ba127238f6e
CRs-Fixed: 3073345
|
|
Avoid OOB read in sch_get_csa_ecsa_count_offset API by
adding check for ie_len before subtracting element ID len
from it.
Change-Id: Id86e69b2c5abc37a4f33125dc5fd0bd1d92f64a7
CRs-Fixed: 3049251
|
|
Avoid OOB read in dot11f_unpack_assoc_response API. Add check
for when nBuf == len to read another byte of pBufRemaining.
Change-Id: Iccdb0b268d16f4169b8b701ade6085d47897f785
CRs-Fixed: 3042293
|
|
Avoid OOB read in sch_get_csa_ecsa_count_offset API by
adding check for ie_len before subtracting element ID len
from it.
Change-Id: Id86e69b2c5abc37a4f33125dc5fd0bd1d92f64a7
CRs-Fixed: 3049251
|
|
Avoid OOB read in dot11f_unpack_assoc_response API. Add check
for when nBuf == len to read another byte of pBufRemaining.
Change-Id: Iccdb0b268d16f4169b8b701ade6085d47897f785
CRs-Fixed: 3042293
|
|
Currently in unpack_tlv_core(), nBufRemaining is validated
after calling framesntohs API. Since, framesntohs() copies
pIn address to pOut address with length = 2 bytes as below.
DOT11F_MEMCPY(pCtx, (uint16_t *)pOut, pIn, 2);
which could cause OOB issue if pIn contains less than 2 bytes.
Fix is to validate the nBufRemaining size before calling
framesntohs().
Change-Id: I3ead03ec948282a410ddba5b01f82ca31d3d9199
CRs-Fixed: 3042282
|
|
Currently in unpack_tlv_core(), nBufRemaining is validated
after calling framesntohs API. Since, framesntohs() copies
pIn address to pOut address with length = 2 bytes as below.
DOT11F_MEMCPY(pCtx, (uint16_t *)pOut, pIn, 2);
which could cause OOB issue if pIn contains less than 2 bytes.
Fix is to validate the nBufRemaining size before calling
framesntohs().
Change-Id: I3ead03ec948282a410ddba5b01f82ca31d3d9199
CRs-Fixed: 3042282
|
|
Possible bufer overflow risk in function
wmi_unified_bcn_tmpl_send.
Validate the beacon template length against
WMI_BEACON_TX_BUFFER_SIZE length to avoid overflow.
Change-Id: I98665de677f314f30a57991f48191f847718740c
CRs-Fixed: 2960714
|
|
Possible bufer overflow risk in function
wmi_unified_bcn_tmpl_send.
Validate the beacon template length against
WMI_BEACON_TX_BUFFER_SIZE length to avoid overflow.
Change-Id: I98665de677f314f30a57991f48191f847718740c
CRs-Fixed: 2960714
|
|
wma_send_peer_assoc() calls wma_unified_peer_state_update() which
always sets the peer state as AUTH irrespective of peer state.
Remove wma_unified_peer_state_update() from wma_send_peer_assoc()
to handle peer state.
Change-Id: I4a887acbc8018653c34b927636cce7cc05323838
CRs-Fixed: 2888808
|
|
Do not intrabss forward fragmented EAPOL frames that have
DA different from the SAP vdev mac addr when high latency
is enabled.
Change-Id: Idb6e6c001f4dae51c2181e70ab9adbbb964f0ee3
CRs-Fixed: 2942096
|
|
Do not intrabss forward fragmented EAPOL frames that have
DA different from the SAP vdev mac addr when high latency
is enabled.
Change-Id: Idb6e6c001f4dae51c2181e70ab9adbbb964f0ee3
CRs-Fixed: 2942096
|
|
Fragmented EAPOL frames and EAPOL frames received
in few error scenarios with DA different from SAP
vdev mac addr will be dropped.
Change-Id: I624eba5bdb43c6b88a1f57112550f8026cc35e24
CRs-Fixed: 2888227
|
|
Do not intrabss forward EAPOL frames received in IPA
exception path.
Change-Id: I0be68ec2c186a7b64d4d2f1c3de7dbb20e49d860
CRs-Fixed: 2860225
|
|
Drop non-EAPOL/WAPI frames from unauthorized peer received
in the IPA exception path.
Change-Id: I0c0bc6e60efa193126ba1e3eca36c5e02f7f76a3
CRs-Fixed: 2860206
|
|
Do not intrabss forward fragmented EAPOL frames that have
DA different from the SAP vdev mac addr.
Change-Id: I4145227c9b02fe8cec86ef4ffc3bc2025f906923
CRs-Fixed: 2888467
|
|
Currently MIC verification is not proper for fragmented packets,
fix MIC verification for helium family.
Change-Id: Iac95c579287bafedf6521b38f2c628fd08cca72d
CRs-Fixed: 2869483
|
|
Multicast frames should not be fragmented and plaintext
frags should not be reassembeld in protected network.
Fix is to drop mcast frags and plaintext frags received
in protected network.
Change-Id: I98cf0715f5832f2f86f86b79dbdbc3a7c86dbfd0
CRs-Fixed: 2860245
|
|
Fragments are not flushed as part of rekey which
could result in fragments encrypted under different
keys to be reassembled.
Fix is to flush fragments for the peer for which add
key request is received.
Change-Id: I0c018ff7375272125c62aaea7b8ad4df9e842508
CRs-Fixed: 2875950
|
|
Add support for flushing fragments for a particular peer.
Change-Id: I91236d2edc73317380590458b974013a02e858a1
CRs-Fixed: 2860131
|
|
Do not intrabss forward fragmented EAPOL frames that have
DA different from the SAP vdev mac addr.
Change-Id: I4145227c9b02fe8cec86ef4ffc3bc2025f906923
CRs-Fixed: 2888467
|
|
Currently MIC verification is not proper for fragmented packets,
fix MIC verification for helium family.
Change-Id: Iac95c579287bafedf6521b38f2c628fd08cca72d
CRs-Fixed: 2869483
|
|
Do not intrabss forward EAPOL frames received in IPA
exception path.
Change-Id: I0be68ec2c186a7b64d4d2f1c3de7dbb20e49d860
CRs-Fixed: 2860225
|
|
Fragmented EAPOL frames and EAPOL frames received
in few error scenarios with DA different from SAP
vdev mac addr will be dropped.
Change-Id: I624eba5bdb43c6b88a1f57112550f8026cc35e24
CRs-Fixed: 2888227
|
|
Drop non-EAPOL/WAPI frames from unauthorized peer received
in the IPA exception path.
Change-Id: I0c0bc6e60efa193126ba1e3eca36c5e02f7f76a3
CRs-Fixed: 2860206
|
|
Modify check to ensure packet number is consecutive for
fragments and drop the fragments if the check fails.
Change-Id: Ica24f65aff65ca58bb010c876f27964b5b2bae6a
CRs-Fixed: 2860242
|
|
Fragments are not flushed as part of rekey which
could result in fragments encrypted under different
keys to be reassembled.
Fix is to flush fragments for the peer for which add
key request is received.
Change-Id: I0c018ff7375272125c62aaea7b8ad4df9e842508
CRs-Fixed: 2875950
|
|
Add support for flushing fragments for a particular peer.
Change-Id: I91236d2edc73317380590458b974013a02e858a1
CRs-Fixed: 2860131
|
|
Modify check to ensure packet number is consecutive for
fragments and drop the fragments if the check fails.
Change-Id: Ica24f65aff65ca58bb010c876f27964b5b2bae6a
CRs-Fixed: 2860242
|
|
Multicast frames should not be fragmented and plaintext
frags should not be reassembeld in protected network.
Fix is to drop mcast frags and plaintext frags received
in protected network.
Change-Id: I98cf0715f5832f2f86f86b79dbdbc3a7c86dbfd0
CRs-Fixed: 2860245
|
|
In func aead_decrypt_assoc_rsp(), it calls
find_ie_data_after_fils_session_ie() to find IE pointer after
FILS session IE from the frame payload.
There is possibility of integer underflow if frame payload length is
less than FIXED_PARAM_OFFSET_ASSOC_RSP which may increase value
of buf_len variable in find_ie_data_after_fils_session_ie() and
cause OOB during parsing process.
Validate frame payload length with FIXED_PARAM_OFFSET_ASSOC_RSP,
if it is less then return failure.
Change-Id: I78fbcfeaa1058fcf2a6fe47cd5c26390b54974af
CRs-Fixed: 2859024
|
|
In func aead_decrypt_assoc_rsp(), it calls
find_ie_data_after_fils_session_ie() to find IE pointer after
FILS session IE from the frame payload.
There is possibility of integer underflow if frame payload length is
less than FIXED_PARAM_OFFSET_ASSOC_RSP which may increase value
of buf_len variable in find_ie_data_after_fils_session_ie() and
cause OOB during parsing process.
Validate frame payload length with FIXED_PARAM_OFFSET_ASSOC_RSP,
if it is less then return failure.
Change-Id: I78fbcfeaa1058fcf2a6fe47cd5c26390b54974af
CRs-Fixed: 2859024
|
|
Currently lim_strip_ie strips the matched IEs from given buffer
but return only last matched IE. All the previous IEs matched to
the given type are lost. Fix this to strip and extract all IEs
matched to given type.
This is to address the case when multiple vendor specific IEs are
given from userspace. Current implementation returns only
last vendor specific IE. This is to fix the same
Change-Id: I64ca5d2e679b8457dc2cbaf7b4b12dc0a840260d
CRs-Fixed: 2499592
|
|
Currently, lim silently drops the association if it fails to
post ASSOC_IND due to some reason(e.g. invalid contents of
assoc request) and the MLM state is stuck in
eLIM_MLM_WT_ASSOC_CNF_STATE. Station context is not cleaned up
till the next association. Gracefully cleanup the association
in such failure cases.
Change-Id: Iede43a1ddc4ac6ef300af02776b153b58dd70c2c
CRs-Fixed: 2810235
|
|
Currently, lim silently drops the association if it fails to
post ASSOC_IND due to some reason(e.g. invalid contents of
assoc request) and the MLM state is stuck in
eLIM_MLM_WT_ASSOC_CNF_STATE. Station context is not cleaned up
till the next association. Gracefully cleanup the association
in such failure cases.
Change-Id: Iede43a1ddc4ac6ef300af02776b153b58dd70c2c
CRs-Fixed: 2810235
|
|
In function rrm_fill_beacon_ies, the total IE length is
calculated as sum of length field of the IE and 2 (element id 1
byte and IE length field 1 byte). The total IE length is defined
of type uint16_t and will overflow if the *(pBcnIes + 1)=0xfe.
Validate the len against total IE length to avoid overflow.
Change-Id: If8f86952ce43c5923906fc6ef18705f1785c5d88
CRs-Fixed: 2573329
|
|
In hdd_apf_read_memory_cb, context buffer length is checked
against sum of packet offset and event length, packet offset
and event length are extracted from FW response and can lead
to integer overflow, which will allow to pass the length check
and eventually will lead to buffer overwrite when event data is
copied to context buffer.
To avoid this issue, validate the event length against the
available length in the context buffer, which can be obtained
by getting difference of packet offset from the context buffer
length.
Change-Id: I53798e56403f1c550f0a762645ccd67a1dc8500d
CRs-fixed: 2436502
|
|
When host sends assoc response to supplicant, it
allocates a buffer of fixed size and copies a variable
length of assoc response IEs to this fixed sized buffer.
There is a possibility of OOB write to the allocated buffer
if the assoc response IEs length is greater than the
allocated buffer size.
To avoid above issue validate the assoc response IEs length
with the allocated buffer size before data copy to the buffer.
Change-ID: Ib12385e9ff04e5172ae8b505faf959e426fda439
CRs-Fixed: 2583124
|
|
When host sends ft assoc response to supplicant, it
allocates a buffer of fixed size and copies a variable
length of assoc response IEs to this fixed sized buffer.
There is a possibility of OOB write to the allocated buffer
if the assoc response IEs length is greater than the
allocated buffer size.
To avoid above issue validate the assoc response IEs length
with the allocated buffer size before data copy to the buffer.
Change-ID: Ife9c2071a8cc4a2918b9f349f4024478f94b2d78
CRs-Fixed: 2575144
|
|
In SME layer, boundary check for dscp_to_up_map array is not present.
The dscpmapping is an array of 0x40 elements. Values in dscp_exceptions
are used to index dscpmapping. The indices are not validated to be less
than 0x40. The dscp_exceptions array is received from association
response frame. A malicious AP can send values up to 0xff, causing OOB
write of dscpmapping array.
Hence, max index check is added to avoid OOB write of dscpmapping array.
Change-Id: I73526849677e867673fc0bd0024ed2b003e4f89e
CRs-Fixed: 2569764
|
|
sme_ese_send_beacon_req_scan_results sends number of bss description
present in beacon report through bcn_report->numBss. For each
iteration driver could send max 4 BSS. In case if driver has to send
beacon report for more than 4 BSS, It sends 4 BSS per iteration. Once
first four results are sent and bcn_report->numBss is not set to 0,
in next iteration bcn_report->numBss++ start from 4 instead of 0.
This Result in sending value more than 4 instead of 4 for next rest
BSS and leads to Integer overflow for bcn_report->numBss.
Driver should memset beacon_rep buffer for each iteration in order to
prevent Integer overflow of bcn_report->numBss. By this driver
could send fresh beacon report (independent of previous beacon report)
in each iteration.
Fix is to memset beacon_rep buffer to zero after sending beacon
report in each iteration in sme_ese_send_beacon_req_scan_results.
Change-Id: I0d07e54ec7f05e8eef388f9958fad597dc49873e
CRs-Fixed: 2408834
|
|
In case if two measurement requests calls update_rrm_report() twice,
possible out-of-bounds write for the allocated report array, report[]
in rrm_process_radio_measurement_request.
Change-Id: Icc8b7aa14bbcc1219d28025e599c9976a3525bba
CRs-Fixed: 2564485
|
|
Release 5.1.1.77V
Change-Id: I8ce9f2290e368a1aca40c44e70b5ece04a81ea04
CRs-Fixed: 774533
|
|
Currently driver is updating 2x2 ht caps without checking
the device capability, because of which even 1x1 device
gets ht caps update for 2x2 which results in unexpected
behavior.
To address above issue, add a check for the device type
to update the ht caps.
CRs-Fixed: 2744304
Change-Id: I9f5ade3e22be3939fe7f040e278936ad90e2becf
|
|
Release 5.1.1.77U
Change-Id: Id6d5e796daa4f1e174cb9fe889394ce67c670fe8
CRs-Fixed: 774533
|
|
Currently host does not clean up SAP pre-cac work in SAP
stop adapter, because of which this work can run after
SAP adapter is destroyed which may lead to undefined
behavior.
To address above issue flush SAP pre-cac work in SAP stop
adapter so that pre cac work does not run after SAP adapter
is destroyed.
Change-Id: I5d1f7ca64ddaf922950bfcf2ee869a1ed85f5eba
CRs-Fixed: 2709183
|
