Home Explore Help
Sign In
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

qcacld-3.0: Limit the BA window buffer size

In case where peer itself exhibits BA window size more
than the allowed value, crash can happen. So, limit the
BA window size to maximum allowed BA buffer size in case
peer BA req buffer size is more than it.

Change-Id: Ie695b9787b555616a5443077147d4bc3a3aefb78
CRs-Fixed: 2766363
Utkarsh Bhatnagar 4 years ago
parent
cfa6d18bcf
commit
617c89ade1
1 changed files with 24 additions and 3 deletions
Split View Show Diff Stats
  1. 24 3
      core/mac/src/pe/lim/lim_process_action_frame.c

+ 24 - 3
core/mac/src/pe/lim/lim_process_action_frame.c
View File 

@@ -1437,6 +1437,9 @@ static void lim_process_addba_req(struct mac_context *mac_ctx, uint8_t *rx_pkt_i
 
 	uint32_t frame_len, status;
 
 	QDF_STATUS qdf_status;
 
 	void *soc = cds_get_context(QDF_MODULE_ID_SOC);
 
+	tpDphHashNode sta_ds;
 
+	uint16_t aid, buff_size;
 
+	bool he_cap = false;
 
 
 	mac_hdr = WMA_GET_RX_MAC_HEADER(rx_pkt_info);
 
 	body_ptr = WMA_GET_RX_MPDU_DATA(rx_pkt_info);
 
@@ -1460,10 +1463,28 @@ static void lim_process_addba_req(struct mac_context *mac_ctx, uint8_t *rx_pkt_i
 
 		pe_warn("warning: unpack addba Req(0x%08x, %d bytes)",
 
 			status, frame_len);
 
 	}
 
-	pe_debug("token %d tid %d timeout %d buff_size %d ssn %d",
 
+
 
+	sta_ds = dph_lookup_hash_entry(mac_ctx, mac_hdr->sa, &aid,
 
+				       &session->dph.dphHashTable);
 
+	if (sta_ds && lim_is_session_he_capable(session))
 
+		he_cap = lim_is_sta_he_capable(sta_ds);
 
+
 
+	if (he_cap)
 
+		buff_size = MAX_BA_BUFF_SIZE;
 
+	else
 
+		buff_size = SIR_MAC_BA_DEFAULT_BUFF_SIZE;
 
+
 
+	if (mac_ctx->usr_cfg_ba_buff_size)
 
+		buff_size = mac_ctx->usr_cfg_ba_buff_size;
 
+
 
+	if (addba_req->addba_param_set.buff_size)
 
+		buff_size = QDF_MIN(buff_size,
 
+				    addba_req->addba_param_set.buff_size);
 
+
 
+	pe_debug("token %d tid %d timeout %d buff_size in frame %d buf_size calculated %d ssn %d",
 
 		 addba_req->DialogToken.token, addba_req->addba_param_set.tid,
 
 		 addba_req->ba_timeout.timeout,
 
-		 addba_req->addba_param_set.buff_size,
 
+		 addba_req->addba_param_set.buff_size, buff_size,
 
 		 addba_req->ba_start_seq_ctrl.ssn);
 
 
 	qdf_status = cdp_addba_requestprocess(
 
@@ -1472,7 +1493,7 @@ static void lim_process_addba_req(struct mac_context *mac_ctx, uint8_t *rx_pkt_i
 
 					addba_req->DialogToken.token,
 
 					addba_req->addba_param_set.tid,
 
 					addba_req->ba_timeout.timeout,
 
-					addba_req->addba_param_set.buff_size,
 
+					buff_size,
 
 					addba_req->ba_start_seq_ctrl.ssn);
 
 
 	if (QDF_STATUS_SUCCESS == qdf_status) {