Merge android-msm-pixel-4.19-sc-v2 into android-msm-pixel-4.19
SBMerger: 410055097
Change-Id: I5f5df6feeeff63e0c49d88597f925b2134fe32a8
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
diff --git a/target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c b/target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c
index 4ea5b46..d7e0d67 100644
--- a/target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c
+++ b/target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c
@@ -1046,6 +1046,11 @@
dbr_buf_pool = mod_param->dbr_buf_pool;
dbr_rsp.dbr_entries = qdf_mem_malloc(dbr_rsp.num_buf_release_entry *
sizeof(struct direct_buf_rx_entry));
+ if (!dbr_rsp.dbr_entries) {
+ direct_buf_rx_err("invalid dbr_entries");
+ wlan_objmgr_pdev_release_ref(pdev, dbr_mod_id);
+ return QDF_STATUS_E_FAILURE;
+ }
if (dbr_rsp.num_meta_data_entry > dbr_rsp.num_buf_release_entry) {
direct_buf_rx_err("More than expected number of metadata");
diff --git a/target_if/wifi_pos/src/target_if_wifi_pos.c b/target_if/wifi_pos/src/target_if_wifi_pos.c
index 42f5ead..b8f90a3 100644
--- a/target_if/wifi_pos/src/target_if_wifi_pos.c
+++ b/target_if/wifi_pos/src/target_if_wifi_pos.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2013-2019 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2013-2019, 2021 The Linux Foundation. All rights reserved.
*
* Permission to use, copy, modify, and/or distribute this software for
* any purpose with or without fee is hereby granted, provided that the
@@ -90,6 +90,7 @@
void *paddr = NULL;
uint32_t addr_hi;
uint8_t ring_idx = 0, num_rings;
+ uint32_t allocated_len;
if (!indirect) {
target_if_debug("no indirect data. regular event received");
@@ -102,6 +103,16 @@
target_if_err("incorrect pdev_id: %d", indirect->pdev_id);
return QDF_STATUS_E_INVAL;
}
+
+ allocated_len = priv_obj->dma_cap[ring_idx].min_buf_size +
+ (priv_obj->dma_cap[ring_idx].min_buf_align - 1);
+ if (indirect->len > allocated_len ||
+ indirect->len > OEM_DATA_DMA_BUFF_SIZE) {
+ target_if_err("Invalid indirect len: %d, allocated_len:%d",
+ indirect->len, allocated_len);
+ return QDF_STATUS_E_INVAL;
+ }
+
addr_hi = (uint64_t)WMI_OEM_DMA_DATA_ADDR_HI_GET(
indirect->addr_hi);
paddr = (void *)((uint64_t)addr_hi << 32 | indirect->addr_lo);
diff --git a/umac/scan/dispatcher/src/wlan_scan_utils_api.c b/umac/scan/dispatcher/src/wlan_scan_utils_api.c
index b1c9ea5..a882d79 100644
--- a/umac/scan/dispatcher/src/wlan_scan_utils_api.c
+++ b/umac/scan/dispatcher/src/wlan_scan_utils_api.c
@@ -938,7 +938,7 @@
uint16_t tmplen, ie_length;
uint8_t *pbeacon, *tmp;
bool set_ssid_flag = false;
- struct ie_ssid *ssid;
+ struct ie_ssid ssid = {0};
uint8_t pdev_id;
if (!pdev) {
@@ -987,8 +987,15 @@
sizeof(struct ie_header))) {
return QDF_STATUS_E_INVAL;
}
- ssid = (struct ie_ssid *)ie;
- if (util_scan_is_hidden_ssid(ssid)) {
+ ssid.ssid_id = ie->ie_id;
+ ssid.ssid_len = ie->ie_len;
+
+ if (ssid.ssid_len)
+ qdf_mem_copy(ssid.ssid,
+ ie + sizeof(struct ie_header),
+ ssid.ssid_len);
+
+ if (util_scan_is_hidden_ssid(&ssid)) {
set_ssid_flag = true;
ssid_ie_start_offset = bcn_ie_offset -
sizeof(struct ie_header);
@@ -1015,7 +1022,7 @@
if (set_ssid_flag) {
/* Hidden SSID if the Length is 0 */
- if (!ssid->ssid_len) {
+ if (!ssid.ssid_len) {
/* increase the taillength by length of ssid */
if (qdf_nbuf_put_tail(bcnbuf,
conf_ssid->length) == NULL) {
@@ -1048,7 +1055,7 @@
qdf_mem_free(tmp);
/* Hidden ssid with all 0's */
- } else if (ssid->ssid_len == conf_ssid->length) {
+ } else if (ssid.ssid_len == conf_ssid->length) {
/* Insert the SSID string */
qdf_mem_copy((pbeacon + ssid_ie_start_offset +
sizeof(struct ie_header)),
diff --git a/umac/wifi_pos/src/wifi_pos_utils_i.h b/umac/wifi_pos/src/wifi_pos_utils_i.h
index 5ee0380..676fed1 100644
--- a/umac/wifi_pos/src/wifi_pos_utils_i.h
+++ b/umac/wifi_pos/src/wifi_pos_utils_i.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2012-2018 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2018, 2021 The Linux Foundation. All rights reserved.
*
* Permission to use, copy, modify, and/or distribute this software for
* any purpose with or without fee is hereby granted, provided that the
@@ -66,6 +66,8 @@
#ifndef OEM_DATA_RSP_SIZE
#define OEM_DATA_RSP_SIZE 1724
+/* Header + VHT80 CIR * 2 chains */
+#define OEM_DATA_DMA_BUFF_SIZE (64 + 512 * 4 * 2)
#endif
/**
diff --git a/utils/fwlog/dbglog_host.c b/utils/fwlog/dbglog_host.c
index fc580f9..6d3a491 100644
--- a/utils/fwlog/dbglog_host.c
+++ b/utils/fwlog/dbglog_host.c
@@ -1683,7 +1683,7 @@
uint32_t diag_data_len; /* each fw diag payload */
struct wlan_diag_data *diag_data;
- while (num_data > 0) {
+ while (num_data >= sizeof(struct wlan_diag_data)) {
diag_data = (struct wlan_diag_data *)datap;
diag_type = WLAN_DIAG_0_TYPE_GET(diag_data->word0);
diag_data_len = WLAN_DIAG_0_LEN_GET(diag_data->word0);
diff --git a/wmi/src/wmi_unified_dbr_tlv.c b/wmi/src/wmi_unified_dbr_tlv.c
index f4c0f15..6e91d05 100644
--- a/wmi/src/wmi_unified_dbr_tlv.c
+++ b/wmi/src/wmi_unified_dbr_tlv.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2016-2019 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2016-2021 The Linux Foundation. All rights reserved.
*
* Permission to use, copy, modify, and/or distribute this software for
* any purpose with or without fee is hereby granted, provided that the
@@ -129,7 +129,17 @@
param->pdev_id = wmi_handle->ops->convert_target_pdev_id_to_host(
ev->pdev_id);
param->mod_id = ev->mod_id;
+ if ((!param_buf->num_entries) ||
+ param_buf->num_entries < ev->num_buf_release_entry){
+ wmi_err("actual num of buf release entries less than provided entries");
+ return QDF_STATUS_E_INVAL;
+ }
param->num_buf_release_entry = ev->num_buf_release_entry;
+ if ((!param_buf->num_meta_data) ||
+ param_buf->num_meta_data < ev->num_meta_data_entry) {
+ wmi_err("actual num of meta data entries less than provided entries");
+ return QDF_STATUS_E_INVAL;
+ }
param->num_meta_data_entry = ev->num_meta_data_entry;
WMI_LOGD("%s:pdev id %d mod id %d num buf release entry %d", __func__,
param->pdev_id, param->mod_id, param->num_buf_release_entry);
diff --git a/wmi/src/wmi_unified_tlv.c b/wmi/src/wmi_unified_tlv.c
index 066d3fa..0a11afc 100644
--- a/wmi/src/wmi_unified_tlv.c
+++ b/wmi/src/wmi_unified_tlv.c
@@ -8671,6 +8671,11 @@
return QDF_STATUS_E_INVAL;
}
+ if (ev_hdr->buf_len > param_tlvs->num_bufp) {
+ WMI_LOGE("Rx mgmt frame length mismatch, discard it");
+ return QDF_STATUS_E_INVAL;
+ }
+
hdr->pdev_id = wmi_handle->ops->convert_pdev_id_target_to_host(
ev_hdr->pdev_id);
@@ -10200,6 +10205,9 @@
param_buf = (WMI_PDEV_FIPS_EVENTID_param_tlvs *) evt_buf;
event = (wmi_pdev_fips_event_fixed_param *) param_buf->fixed_param;
+ if (event->data_len > param_buf->num_data)
+ return QDF_STATUS_E_FAILURE;
+
if (fips_conv_data_be(event->data_len, param_buf->data) !=
QDF_STATUS_SUCCESS)
return QDF_STATUS_E_FAILURE;
