diff options
author | PixelBot AutoMerger <android-nexus-securitybot@system.gserviceaccount.com> | 2024-02-25 19:07:46 -0800 |
---|---|---|
committer | SecurityBot <android-nexus-securitybot@system.gserviceaccount.com> | 2024-02-25 19:07:47 -0800 |
commit | aa71c4b8efdd73b46deea02963ffae3d76814b7f (patch) | |
tree | 042a9ad68dec02e9d3d9f72acb1892b6f4033cf2 | |
parent | 5503fa1d9ab98ed74d4e7736f91f17f7313381ed (diff) | |
parent | 8412b34a08a1109abd5e9b6b6ed0f187fd0c7ebf (diff) | |
download | wlan-android-gs-felix-5.10-android15-beta.tar.gz |
Merge android13-gs-pixel-5.10-24Q2 into android13-gs-pixel-5.10android-15-beta-2_r0.6android-15-beta-2_r0.5android-15-beta-2_r0.4android-15-beta-2_r0.3android-15-beta-2_r0.2android-15-beta-2_r0.1android-15-beta-1_r0.5android-15-beta-1_r0.3android-gs-tangorpro-5.10-android15-betaandroid-gs-raviole-5.10-android15-dpandroid-gs-raviole-5.10-android15-betaandroid-gs-pantah-5.10-android15-betaandroid-gs-lynx-5.10-android15-dpandroid-gs-lynx-5.10-android15-betaandroid-gs-felix-5.10-android15-betaandroid-gs-bluejay-5.10-android15-beta
SBMerger: 605678113
Change-Id: Ice2c628f9869a51ecdf9485844e854052caa4fd8
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
5 files changed, 82 insertions, 36 deletions
diff --git a/qca-wifi-host-cmn/umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h b/qca-wifi-host-cmn/umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h index 438708e..331b222 100644 --- a/qca-wifi-host-cmn/umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h +++ b/qca-wifi-host-cmn/umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h @@ -273,6 +273,8 @@ #define WLAN_MAX_SRP_IE_LEN 21 #define WLAN_MAX_MUEDCA_IE_LEN 14 +#define WLAN_MIN_HECAP_IE_LEN 22 +#define WLAN_MAX_HECAP_IE_LEN 55 #define WLAN_MAX_HE_6G_CAP_IE_LEN 3 #define WLAN_MAX_HEOP_IE_LEN 16 #define WLAN_HEOP_OUI_TYPE "\x24" @@ -581,6 +583,7 @@ enum element_ie { * @WLAN_EXTN_ELEMID_MUEDCA: MU-EDCA IE * @WLAN_EXTN_ELEMID_HE_6G_CAP: HE 6GHz Band Capabilities IE * @WLAN_EXTN_ELEMID_SRP: spatial reuse parameter IE + * @WLAN_EXTN_ELEMID_OCI: OCI IE * @WLAN_EXTN_ELEMID_NONINHERITANCE: Non inheritance IE * @WLAN_EXTN_ELEMID_EHTOP: EHT Operation IE * @WLAN_EXTN_ELEMID_MULTI_LINK: Multi-Link IE @@ -592,6 +595,7 @@ enum extn_element_ie { WLAN_EXTN_ELEMID_HEOP = 36, WLAN_EXTN_ELEMID_MUEDCA = 38, WLAN_EXTN_ELEMID_SRP = 39, + WLAN_EXTN_ELEMID_OCI = 54, WLAN_EXTN_ELEMID_NONINHERITANCE = 56, WLAN_EXTN_ELEMID_HE_6G_CAP = 59, WLAN_EXTN_ELEMID_ESP = 11, @@ -1562,6 +1566,8 @@ struct wlan_ie_vhtop { #define WLAN_HE_MACCAP_LEN 6 #define WLAN_HE_PHYCAP_LEN 11 #define WLAN_HE_MAX_MCS_MAPS 3 +#define WLAN_HE_MCS_MAP_LEN 2 +#define WLAN_INVALID_RX_MCS_MAP 0xFFFF /** * struct wlan_ie_hecaps - HT capabilities * @elem_id: HE caps IE diff --git a/qca-wifi-host-cmn/umac/regulatory/core/src/reg_services_common.c b/qca-wifi-host-cmn/umac/regulatory/core/src/reg_services_common.c index 40c1b16..bc333e3 100644 --- a/qca-wifi-host-cmn/umac/regulatory/core/src/reg_services_common.c +++ b/qca-wifi-host-cmn/umac/regulatory/core/src/reg_services_common.c @@ -3463,7 +3463,8 @@ static uint32_t reg_get_channel_flags_for_freq(struct wlan_objmgr_pdev *pdev, chan_enum = reg_get_chan_enum_for_freq(freq); if (chan_enum == INVALID_CHANNEL) { - reg_err("chan freq is not valid"); + if(freq) + reg_err("chan freq %d is not valid", freq); return REGULATORY_CHAN_INVALID; } diff --git a/qca-wifi-host-cmn/umac/scan/dispatcher/src/wlan_scan_utils_api.c b/qca-wifi-host-cmn/umac/scan/dispatcher/src/wlan_scan_utils_api.c index a2699a5..71361de 100644 --- a/qca-wifi-host-cmn/umac/scan/dispatcher/src/wlan_scan_utils_api.c +++ b/qca-wifi-host-cmn/umac/scan/dispatcher/src/wlan_scan_utils_api.c @@ -1,6 +1,6 @@ /* * Copyright (c) 2017-2021 The Linux Foundation. All rights reserved. - * Copyright (c) 2021-2022 Qualcomm Innovation Center, Inc. All rights reserved. + * Copyright (c) 2021-2024 Qualcomm Innovation Center, Inc. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -900,6 +900,9 @@ util_scan_parse_extn_ie(struct scan_cache_entry *scan_params, scan_params->ie_list.srp = (uint8_t *)ie; break; case WLAN_EXTN_ELEMID_HECAP: + if ((extn_ie->ie_len < WLAN_MIN_HECAP_IE_LEN) || + (extn_ie->ie_len > WLAN_MAX_HECAP_IE_LEN)) + return QDF_STATUS_E_INVAL; scan_params->ie_list.hecap = (uint8_t *)ie; break; case WLAN_EXTN_ELEMID_HEOP: @@ -1410,7 +1413,7 @@ static void util_scan_update_esp_data(struct wlan_esp_ie *esp_information, } /** - * util_scan_scm_update_bss_with_esp_dataa: calculate estimated air time + * util_scan_scm_update_bss_with_esp_data: calculate estimated air time * fraction * @scan_entry: new received entry * @@ -1460,7 +1463,7 @@ static void util_scan_scm_update_bss_with_esp_data( /** * util_scan_scm_calc_nss_supported_by_ap() - finds out nss from AP - * @scan_entry: new received entry + * @scan_params: new received entry * * Return: number of nss advertised by AP */ @@ -1469,28 +1472,36 @@ static int util_scan_scm_calc_nss_supported_by_ap( { struct htcap_cmn_ie *htcap; struct wlan_ie_vhtcaps *vhtcaps; - struct wlan_ie_hecaps *hecaps; + uint8_t *he_cap; + uint8_t *end_ptr = NULL; uint16_t rx_mcs_map = 0; + uint8_t *mcs_map_offset; htcap = (struct htcap_cmn_ie *) util_scan_entry_htcap(scan_params); vhtcaps = (struct wlan_ie_vhtcaps *) util_scan_entry_vhtcap(scan_params); - hecaps = (struct wlan_ie_hecaps *) - util_scan_entry_hecap(scan_params); + he_cap = util_scan_entry_hecap(scan_params); - if (hecaps) { + if (he_cap) { /* Using rx mcs map related to 80MHz or lower as in some - * cases higher mcs may suuport lesser NSS than that + * cases higher mcs may support lesser NSS than that * of lowe mcs. Thus giving max NSS capability. */ - rx_mcs_map = - qdf_cpu_to_le16(hecaps->mcs_bw_map[0].rx_mcs_map); + end_ptr = he_cap + he_cap[1] + sizeof(struct ie_header); + mcs_map_offset = (he_cap + sizeof(struct extn_ie_header) + + WLAN_HE_MACCAP_LEN + WLAN_HE_PHYCAP_LEN); + if ((mcs_map_offset + WLAN_HE_MCS_MAP_LEN) <= end_ptr) { + rx_mcs_map = *(uint16_t *)mcs_map_offset; + } else { + rx_mcs_map = WLAN_INVALID_RX_MCS_MAP; + scm_debug("mcs_map_offset exceeds he cap len"); + } } else if (vhtcaps) { rx_mcs_map = vhtcaps->rx_mcs_map; } - if (hecaps || vhtcaps) { + if (he_cap || vhtcaps) { if ((rx_mcs_map & 0xC000) != 0xC000) return 8; @@ -1715,7 +1726,7 @@ static void util_scan_set_security(struct scan_cache_entry *scan_params) } #ifdef WLAN_FEATURE_11BE_MLO -/** +/* * Multi link IE field offsets * ------------------------------------------------------------------------ * | EID(1) | Len (1) | EID_EXT (1) | ML_CONTROL (2) | CMN_INFO (var) | ... | @@ -1789,22 +1800,26 @@ static void util_scan_update_ml_info(struct scan_cache_entry *scan_entry) uint8_t *ml_ie = scan_entry->ie_list.multi_link; uint16_t multi_link_ctrl; uint8_t offset; + uint8_t *end_ptr = NULL; if (!scan_entry->ie_list.multi_link) { return; } + end_ptr = ml_ie + ml_ie[TAG_LEN_POS] + sizeof(struct ie_header); + multi_link_ctrl = *(uint16_t *)(ml_ie + ML_CONTROL_OFFSET); /* TODO: update ml_info based on ML IE */ - multi_link_ctrl = *(uint16_t *)(ml_ie + ML_CONTROL_OFFSET); offset = ML_CMN_INFO_OFFSET; - /* TODO: Add proper parsing based on presense bitmap */ + /* TODO: Add proper parsing based on presence bitmap */ if (multi_link_ctrl & CMN_INFO_MLD_ADDR_PRESENT_BIT) { - qdf_mem_copy(&scan_entry->ml_info.mld_mac_addr, - ml_ie + offset, 6); - offset += 6; + if ((ml_ie + offset + QDF_MAC_ADDR_SIZE) <= end_ptr) { + qdf_mem_copy(&scan_entry->ml_info.mld_mac_addr, + ml_ie + offset, QDF_MAC_ADDR_SIZE); + offset += QDF_MAC_ADDR_SIZE; + } } /* TODO: Decode it from ML IE */ @@ -1814,8 +1829,10 @@ static void util_scan_update_ml_info(struct scan_cache_entry *scan_entry) * Copy Link ID & MAC address of the scan cache entry as first entry * in the partner info list */ - if (multi_link_ctrl & CMN_INFO_LINK_ID_PRESENT_BIT) - scan_entry->ml_info.self_link_id = ml_ie[offset] & 0x0F; + if (multi_link_ctrl & CMN_INFO_LINK_ID_PRESENT_BIT) { + if (&ml_ie[offset] < end_ptr) + scan_entry->ml_info.self_link_id = ml_ie[offset] & 0x0F; + } util_get_partner_link_info(scan_entry); } @@ -1906,7 +1923,7 @@ util_scan_gen_scan_entry(struct wlan_objmgr_pdev *pdev, scan_entry->bcn_int = le16toh(bcn->beacon_interval); /* - * In case if the beacon dosnt have + * In case if the beacon doesn't have * valid beacon interval falback to def */ if (!scan_entry->bcn_int) @@ -2563,8 +2580,9 @@ static uint32_t util_gen_new_ie(uint8_t *ie, uint32_t ielen, * copied to new ie, skip ssid, capability, bssid-index ie */ tmp_new = sub_copy; - while (((tmp_new + tmp_new[1] + MIN_IE_LEN) - sub_copy) <= - subie_len) { + while ((subie_len > 0) && + (((tmp_new + tmp_new[1] + MIN_IE_LEN) - sub_copy) <= + (subie_len - 1))) { if (!(tmp_new[0] == WLAN_ELEMID_NONTX_BSSID_CAP || tmp_new[0] == WLAN_ELEMID_SSID || tmp_new[0] == WLAN_ELEMID_MULTI_BSSID_IDX || @@ -3059,9 +3077,10 @@ util_scan_parse_beacon_frame(struct wlan_objmgr_pdev *pdev, mbssid_ie = util_scan_find_ie(WLAN_ELEMID_MULTIPLE_BSSID, (uint8_t *)&bcn->ie, ie_len); if (mbssid_ie) { - if (mbssid_ie[1] <= 0) { + /* some APs announce the MBSSID ie_len as 1 */ + if (mbssid_ie[TAG_LEN_POS] < 1) { scm_debug("MBSSID IE length is wrong %d", - mbssid_ie[1]); + mbssid_ie[TAG_LEN_POS]); return status; } qdf_mem_copy(&mbssid_info.trans_bssid, diff --git a/qcacld-3.0/core/mac/inc/sir_mac_prot_def.h b/qcacld-3.0/core/mac/inc/sir_mac_prot_def.h index 8a4251f..332dbd3 100644 --- a/qcacld-3.0/core/mac/inc/sir_mac_prot_def.h +++ b/qcacld-3.0/core/mac/inc/sir_mac_prot_def.h @@ -1,6 +1,6 @@ /* * Copyright (c) 2011-2021 The Linux Foundation. All rights reserved. - * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved. + * Copyright (c) 2022-2023 Qualcomm Innovation Center, Inc. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -1871,4 +1871,7 @@ struct he_6ghz_capability_info { #define SIR_MAC_TXSTBC 1 #define SIR_MAC_RXSTBC 1 +#define SIR_MAC_IE_TYPE_OFFSET 0 +#define SIR_MAC_IE_LEN_OFFSET 1 +#define SIR_MAC_IE_TYPE_LEN_SIZE 2 #endif /* __MAC_PROT_DEFS_H */ diff --git a/qcacld-3.0/core/mac/src/pe/lim/lim_process_action_frame.c b/qcacld-3.0/core/mac/src/pe/lim/lim_process_action_frame.c index 8f83562..537d323 100644 --- a/qcacld-3.0/core/mac/src/pe/lim/lim_process_action_frame.c +++ b/qcacld-3.0/core/mac/src/pe/lim/lim_process_action_frame.c @@ -61,6 +61,11 @@ (DOT11F_FF_CATEGORY_LEN + DOT11F_FF_ACTION_LEN + DOT11F_FF_TRANSACTIONID_LEN) #define SA_QUERY_IE_OFFSET (4) +#define MIN_OCI_IE_LEN 6 +#define OCI_IE_OUI_SIZE 1 +#define OCI_IE_OP_CLS_OFFSET 3 +#define ELE_ID_EXT_LEN 1 + static last_processed_msg rrm_link_action_frm; /**----------------------------------------------------------------- @@ -1213,13 +1218,19 @@ static bool lim_check_oci_match(struct mac_context *mac, struct pe_session *pe_session, uint8_t *ie, uint8_t *peer, uint32_t ie_len) { - const uint8_t *oci_ie; - tDot11fIEoci self_oci, *peer_oci; + const uint8_t *oci_ie, ext_id_param = WLAN_EXTN_ELEMID_OCI; + tDot11fIEoci self_oci, peer_oci = {0}; + uint32_t status = DOT11F_PARSE_SUCCESS; if (!lim_is_self_and_peer_ocv_capable(mac, peer, pe_session)) return true; - oci_ie = wlan_get_ie_ptr_from_eid(DOT11F_EID_OCI, ie, ie_len); + if (ie_len < MIN_OCI_IE_LEN) + return false; + + oci_ie = wlan_get_ext_ie_ptr_from_ext_id(&ext_id_param, + OCI_IE_OUI_SIZE, + ie, ie_len); if (!oci_ie) { pe_err("OCV not found OCI in SA Query frame!"); return false; @@ -1233,19 +1244,25 @@ lim_check_oci_match(struct mac_context *mac, struct pe_session *pe_session, * Primary channel : 1 byte * Freq_seg_1_ch_num : 1 byte */ - peer_oci = (tDot11fIEoci *)&oci_ie[2]; + status = dot11f_unpack_ie_oci(mac, + (uint8_t *)&oci_ie[OCI_IE_OP_CLS_OFFSET], + oci_ie[SIR_MAC_IE_LEN_OFFSET] - + ELE_ID_EXT_LEN, + &peer_oci, false); + if (!DOT11F_SUCCEEDED(status) || !peer_oci.present) + return false; lim_fill_oci_params(mac, pe_session, &self_oci); - if ((self_oci.op_class != peer_oci->op_class) || - (self_oci.prim_ch_num != peer_oci->prim_ch_num) || - (self_oci.freq_seg_1_ch_num != peer_oci->freq_seg_1_ch_num)) { + if ((self_oci.op_class != peer_oci.op_class) || + (self_oci.prim_ch_num != peer_oci.prim_ch_num) || + (self_oci.freq_seg_1_ch_num != peer_oci.freq_seg_1_ch_num)) { pe_err("OCI mismatch,self %d %d %d, peer %d %d %d", self_oci.op_class, self_oci.prim_ch_num, self_oci.freq_seg_1_ch_num, - peer_oci->op_class, - peer_oci->prim_ch_num, - peer_oci->freq_seg_1_ch_num); + peer_oci.op_class, + peer_oci.prim_ch_num, + peer_oci.freq_seg_1_ch_num); return false; } |