Merge branch 'android-msm-barbet-4.19-sc-security' into android-msm-barbet-4.19-sc-v2 May 2022.1 Bug: 218985673 Change-Id: I66318f5a973e2c3b7086c3ce381dcb1d2c2370e0
diff --git a/core/hdd/src/wlan_hdd_cfg80211.c b/core/hdd/src/wlan_hdd_cfg80211.c index de5d602..64a766d 100644 --- a/core/hdd/src/wlan_hdd_cfg80211.c +++ b/core/hdd/src/wlan_hdd_cfg80211.c
@@ -16496,6 +16496,18 @@ qdf_mem_copy(&set_key.Key[0], params->key, params->key_len); qdf_mem_copy(&set_key.keyRsc[0], params->seq, params->seq_len); + if (!pairwise) { + /* set group key */ + hdd_debug("setting Broadcast key"); + set_key.keyDirection = eSIR_RX_ONLY; + qdf_set_macaddr_broadcast(&set_key.peerMac); + } else { + /* set pairwise key */ + hdd_debug("setting pairwise key"); + set_key.keyDirection = eSIR_TX_RX; + qdf_mem_copy(set_key.peerMac.bytes, mac_addr, QDF_MAC_ADDR_SIZE); + } + mac_handle = hdd_ctx->mac_handle; cdp_peer_flush_frags(cds_get_context(QDF_MODULE_ID_SOC), @@ -16598,17 +16610,6 @@ hdd_debug("encryption type %d", set_key.encType); - if (!pairwise) { - /* set group key */ - hdd_debug("setting Broadcast key"); - set_key.keyDirection = eSIR_RX_ONLY; - qdf_set_macaddr_broadcast(&set_key.peerMac); - } else { - /* set pairwise key */ - hdd_debug("setting pairwise key"); - set_key.keyDirection = eSIR_TX_RX; - qdf_mem_copy(set_key.peerMac.bytes, mac_addr, QDF_MAC_ADDR_SIZE); - } if ((QDF_IBSS_MODE == adapter->device_mode) && !pairwise) { /* if a key is already installed, block all subsequent ones */ if (adapter->session.station.ibss_enc_key_installed) {
diff --git a/core/hdd/src/wlan_hdd_debugfs_llstat.c b/core/hdd/src/wlan_hdd_debugfs_llstat.c index 2caf9d4..06508ec 100644 --- a/core/hdd/src/wlan_hdd_debugfs_llstat.c +++ b/core/hdd/src/wlan_hdd_debugfs_llstat.c
@@ -236,8 +236,8 @@ buffer = ll_stats.result; buffer += ll_stats.len; - len = scnprintf(buffer, DEBUGFS_LLSTATS_BUF_SIZE, - "\n\n===LL_STATS_RADIO: number of radios: %u===", + len = scnprintf(buffer, DEBUGFS_LLSTATS_BUF_SIZE - ll_stats.len, + "\n\n===LL_STATS_RADIO: number of radios: %u===", num_radio); for (i = 0; i < num_radio; i++) {
diff --git a/core/mac/src/include/dot11f.h b/core/mac/src/include/dot11f.h index 2b57b0d..23d74b4 100644 --- a/core/mac/src/include/dot11f.h +++ b/core/mac/src/include/dot11f.h
@@ -1,5 +1,5 @@ /* - * Copyright (c) 2012-2019 The Linux Foundation. All rights reserved. + * Copyright (c) 2012-2019, 2021 The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -26,7 +26,7 @@ * * * This file was automatically generated by 'framesc' - * Wed Aug 7 14:47:51 2019 from the following file(s): + * Wed Sep 29 13:23:21 2021 from the following file(s): * * dot11f.frms *
diff --git a/core/mac/src/pe/lim/lim_api.c b/core/mac/src/pe/lim/lim_api.c index 591a0cb..55d26d8 100644 --- a/core/mac/src/pe/lim/lim_api.c +++ b/core/mac/src/pe/lim/lim_api.c
@@ -1114,12 +1114,15 @@ ssid_ie = wlan_get_ie_ptr_from_eid(WLAN_ELEMID_SSID, body + SIR_MAC_B_PR_SSID_OFFSET, - frame_len); + frame_len - SIR_MAC_B_PR_SSID_OFFSET); if (!ssid_ie) return false; bcn_ssid.length = ssid_ie[1]; + if (bcn_ssid.length > WLAN_SSID_MAX_LEN) + return false; + qdf_mem_copy(&bcn_ssid.ssId, &ssid_ie[2], bcn_ssid.length);
diff --git a/core/mac/src/pe/lim/lim_process_fils.c b/core/mac/src/pe/lim/lim_process_fils.c index 5596491..9b74ae0 100644 --- a/core/mac/src/pe/lim/lim_process_fils.c +++ b/core/mac/src/pe/lim/lim_process_fils.c
@@ -2235,6 +2235,11 @@ uint8_t *fils_ies; struct pe_fils_session *fils_info = session->fils_info; + if (*n_frame < FIXED_PARAM_OFFSET_ASSOC_RSP) { + pe_debug("payload len is less than ASSOC RES offset"); + return QDF_STATUS_E_FAILURE; + } + status = find_ie_data_after_fils_session_ie(mac_ctx, p_frame + FIXED_PARAM_OFFSET_ASSOC_RSP, ((*n_frame) -
diff --git a/core/mac/src/sys/legacy/src/utils/src/dot11f.c b/core/mac/src/sys/legacy/src/utils/src/dot11f.c index b27b785..115d006 100644 --- a/core/mac/src/sys/legacy/src/utils/src/dot11f.c +++ b/core/mac/src/sys/legacy/src/utils/src/dot11f.c
@@ -1,5 +1,5 @@ /* - * Copyright (c) 2012-2019 The Linux Foundation. All rights reserved. + * Copyright (c) 2012-2019, 2021 The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -24,7 +24,7 @@ * * * This file was automatically generated by 'framesc' - * Wed Aug 7 14:47:51 2019 from the following file(s): + * Wed Sep 29 13:23:21 2021 from the following file(s): * * dot11f.frms * @@ -14737,25 +14737,30 @@ } /* & length, */ if (pTlv->sLen == 2) { - framesntohs(pCtx, &len, pBufRemaining, pTlv->fMsb); if (2 > nBufRemaining) { FRAMES_LOG0(pCtx, FRLOGE, FRFL("This frame reports " "fewer two byte(s) remaining.\n")); status |= DOT11F_INCOMPLETE_TLV; FRAMES_DBG_BREAK(); goto MandatoryCheck; - } - pBufRemaining += 2; - nBufRemaining -= 2; + } + framesntohs(pCtx, &len, pBufRemaining, pTlv->fMsb); + pBufRemaining += 2; + nBufRemaining -= 2; } else { len = *pBufRemaining; pBufRemaining += 1; nBufRemaining -= 1; } } else { + if (TLVs[0].sType > nBufRemaining) { + FRAMES_LOG0(pCtx, FRLOGE, FRFL("This frame reports " + "fewer LVs[0].sType byte(s) remaining.\n")); + status |= DOT11F_INCOMPLETE_TLV; + goto MandatoryCheck; + } pBufRemaining += TLVs[0].sType; nBufRemaining -= TLVs[0].sType; - framesntohs(pCtx, &len, pBufRemaining, (TLVs[0].sType == 2)); if (2 > nBufRemaining) { FRAMES_LOG0(pCtx, FRLOGE, FRFL("This frame reports " "fewer two byte(s) remaining.\n")); @@ -14763,6 +14768,7 @@ FRAMES_DBG_BREAK(); goto MandatoryCheck; } + framesntohs(pCtx, &len, pBufRemaining, (TLVs[0].sType == 2)); pBufRemaining += 2; nBufRemaining -= 2; }
diff --git a/core/wma/src/wma_features.c b/core/wma/src/wma_features.c index 38b7735..477ca76 100644 --- a/core/wma/src/wma_features.c +++ b/core/wma/src/wma_features.c
@@ -1697,39 +1697,39 @@ static void wma_wow_stats_display(struct wake_lock_stats *stats) { - WMA_LOGA("WLAN wake reason counters:"); - WMA_LOGA("uc:%d bc:%d v4_mc:%d v6_mc:%d ra:%d ns:%d na:%d " - "icmp:%d icmpv6:%d", - stats->ucast_wake_up_count, - stats->bcast_wake_up_count, - stats->ipv4_mcast_wake_up_count, - stats->ipv6_mcast_wake_up_count, - stats->ipv6_mcast_ra_stats, - stats->ipv6_mcast_ns_stats, - stats->ipv6_mcast_na_stats, - stats->icmpv4_count, - stats->icmpv6_count); + wma_nofl_info("WLAN wake reason counters:"); + wma_nofl_info("uc:%d bc:%d v4_mc:%d v6_mc:%d ra:%d ns:%d na:%d " + "icmp:%d icmpv6:%d", + stats->ucast_wake_up_count, + stats->bcast_wake_up_count, + stats->ipv4_mcast_wake_up_count, + stats->ipv6_mcast_wake_up_count, + stats->ipv6_mcast_ra_stats, + stats->ipv6_mcast_ns_stats, + stats->ipv6_mcast_na_stats, + stats->icmpv4_count, + stats->icmpv6_count); - WMA_LOGA("assoc:%d disassoc:%d assoc_resp:%d reassoc:%d " - "reassoc_resp:%d auth:%d deauth:%d action:%d", - stats->mgmt_assoc, - stats->mgmt_disassoc, - stats->mgmt_assoc_resp, - stats->mgmt_reassoc, - stats->mgmt_reassoc_resp, - stats->mgmt_auth, - stats->mgmt_deauth, - stats->mgmt_action); + wma_nofl_info("assoc:%d disassoc:%d assoc_resp:%d reassoc:%d " + "reassoc_resp:%d auth:%d deauth:%d action:%d", + stats->mgmt_assoc, + stats->mgmt_disassoc, + stats->mgmt_assoc_resp, + stats->mgmt_reassoc, + stats->mgmt_reassoc_resp, + stats->mgmt_auth, + stats->mgmt_deauth, + stats->mgmt_action); - WMA_LOGA("pno_match:%d pno_complete:%d gscan:%d " - "low_rssi:%d rssi_breach:%d oem:%d scan_11d:%d", - stats->pno_match_wake_up_count, - stats->pno_complete_wake_up_count, - stats->gscan_wake_up_count, - stats->low_rssi_wake_up_count, - stats->rssi_breach_wake_up_count, - stats->oem_response_wake_up_count, - stats->scan_11d); + wma_nofl_info("pno_match:%d pno_complete:%d gscan:%d " + "low_rssi:%d rssi_breach:%d oem:%d scan_11d:%d", + stats->pno_match_wake_up_count, + stats->pno_complete_wake_up_count, + stats->gscan_wake_up_count, + stats->low_rssi_wake_up_count, + stats->rssi_breach_wake_up_count, + stats->oem_response_wake_up_count, + stats->scan_11d); } static void wma_print_wow_stats(t_wma_handle *wma, @@ -2542,13 +2542,13 @@ uint8_t to_from_ds, frag_num; uint32_t seq_num; - wma_err("RA: " QDF_MAC_ADDR_STR " TA: " QDF_MAC_ADDR_STR, - QDF_MAC_ADDR_ARRAY(wh->i_addr1), - QDF_MAC_ADDR_ARRAY(wh->i_addr2)); + wma_nofl_info("RA: " QDF_MAC_ADDR_STR " TA: " QDF_MAC_ADDR_STR, + QDF_MAC_ADDR_ARRAY(wh->i_addr1), + QDF_MAC_ADDR_ARRAY(wh->i_addr2)); - WMA_LOGE("TO_DS: %u, FROM_DS: %u", - wh->i_fc[1] & IEEE80211_FC1_DIR_TODS, - wh->i_fc[1] & IEEE80211_FC1_DIR_FROMDS); + wma_nofl_info("TO_DS: %u, FROM_DS: %u", + wh->i_fc[1] & IEEE80211_FC1_DIR_TODS, + wh->i_fc[1] & IEEE80211_FC1_DIR_FROMDS); to_from_ds = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; @@ -2558,19 +2558,19 @@ QDF_MAC_ADDR_ARRAY(wh->i_addr3)); break; case IEEE80211_FC1_DIR_TODS: - wma_err("DA: " QDF_MAC_ADDR_STR, - QDF_MAC_ADDR_ARRAY(wh->i_addr3)); + wma_nofl_info("DA: " QDF_MAC_ADDR_STR, + QDF_MAC_ADDR_ARRAY(wh->i_addr3)); break; case IEEE80211_FC1_DIR_FROMDS: - wma_err("SA: " QDF_MAC_ADDR_STR, - QDF_MAC_ADDR_ARRAY(wh->i_addr3)); + wma_nofl_info("SA: " QDF_MAC_ADDR_STR, + QDF_MAC_ADDR_ARRAY(wh->i_addr3)); break; case IEEE80211_FC1_DIR_DSTODS: if (buf_len >= sizeof(struct ieee80211_frame_addr4)) - wma_err("DA: " QDF_MAC_ADDR_STR " SA: " - QDF_MAC_ADDR_STR, - QDF_MAC_ADDR_ARRAY(wh->i_addr3), - QDF_MAC_ADDR_ARRAY(wh->i_addr4)); + wma_nofl_info("DA: " QDF_MAC_ADDR_STR " SA: " + QDF_MAC_ADDR_STR, + QDF_MAC_ADDR_ARRAY(wh->i_addr3), + QDF_MAC_ADDR_ARRAY(wh->i_addr4)); break; } @@ -2581,8 +2581,8 @@ IEEE80211_SEQ_FRAG_MASK) >> IEEE80211_SEQ_FRAG_SHIFT); - WMA_LOGE("SEQ_NUM: %u, FRAG_NUM: %u", - seq_num, frag_num); + wma_nofl_info("SEQ_NUM: %u, FRAG_NUM: %u", + seq_num, frag_num); } else { WMA_LOGE("Insufficient buffer length for mgmt. packet"); } @@ -2986,13 +2986,13 @@ /* "Unspecified" means APPS triggered wake, else firmware triggered */ if (wake_info->wake_reason != WOW_REASON_UNSPECIFIED) { vdev = &wma->interfaces[wake_info->vdev_id]; - WMA_LOGA("WLAN triggered wakeup: %s (%d), vdev: %d (%s)", + wma_nofl_info("WLAN triggered wakeup: %s (%d), vdev: %d (%s)", wma_wow_wake_reason_str(wake_info->wake_reason), wake_info->wake_reason, wake_info->vdev_id, wma_vdev_type_str(vdev->type)); } else if (!wmi_get_runtime_pm_inprogress(wma->wmi_handle)) { - WMA_LOGA("Non-WLAN triggered wakeup: %s (%d)", + wma_nofl_info("Non-WLAN triggered wakeup: %s (%d)", wma_wow_wake_reason_str(wake_info->wake_reason), wake_info->wake_reason); } @@ -3105,7 +3105,7 @@ { tp_wma_handle wma = (tp_wma_handle) handle; - WMA_LOGA("Received PDEV resume event"); + wma_nofl_info("Received PDEV resume event"); ucfg_pmo_psoc_wakeup_host_event_received(wma->psoc);
diff --git a/core/wma/src/wma_scan_roam.c b/core/wma/src/wma_scan_roam.c index 9231971..8d5b6c7 100644 --- a/core/wma/src/wma_scan_roam.c +++ b/core/wma/src/wma_scan_roam.c
@@ -1,5 +1,5 @@ /* - * Copyright (c) 2013-2020 The Linux Foundation. All rights reserved. + * Copyright (c) 2013-2021 The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -3726,7 +3726,7 @@ num_tlv = MAX_ROAM_SCAN_STATS_TLV; } - rem_len = WMI_SVC_MSG_MAX_SIZE - sizeof(*fixed_param); + rem_len = len - sizeof(*fixed_param); if (rem_len < num_tlv * sizeof(wmi_roam_trigger_reason)) { wma_err_rl("Invalid roam trigger data"); goto err;