In extract_roam_scan_stats_res_evt_tlv(), there is potential
buffer-overflow due to no input validation of following event
parameters from firmware:
(a) Roam scan frequencies against maximum value of 50
(WMI_ROAM_SCAN_STATS_CHANNELS_MAX) and
(b) Roam scan candidates against maximum value of 4
(WMI_ROAM_SCAN_STATS_CANDIDATES_MAX)
To fix this, validate roam scan stats event parameters.
Change-Id: I866b492f7ccb48c4960ff25a9e817cbdb394509e
CRs-Fixed: 2335530
1. Send add random mac addr rx filter WMI command
to target
2. Add/Del the active random mac addr entry
3. Clear random mac addr from target if not active
Change-Id: I9dcbdc20b76d9865da7a8db6ee013bf5e44e4407
CRs-Fixed: 2322097
When WMI_SERVICE_READY_EXT_EVENT is received from firmware, the
function extract_chainmask_tables_tlv is called to update the
soc caps and other capabilities to the host. hw_caps is
extracted directly from the param_buf value received from the
firmware and hw_caps->num_chainmask_tables is used to traverse
through the chainmask table and update the values to it from the
param_buf->mac_phy_chainmask_caps. hw_caps->num_chainmask_tables
is validated against PSOC_MAX_CHAINMASK_TABLES but not against
param_buf->num_mac_phy_chainmask_combo. This can cause potential
out of bound read in extract_chainmask_tables_tlv.
Validate the value of the hw_caps->num_chainmask_tables received
from the firmware against param_buf->num_mac_phy_chainmask_combo
before updating chainmask_table.
Change-Id: Ibf438760a9219f4ff82d29b42aa30f4dcf626364
CRs-Fixed: 2336842
num_chainmask_tables used as a for loop variable in
extract_service_ready_ext_tlv(), is never bound check
and may lead to OOB.
Change-Id: Ib0fdde8386fc372abee44934e10e9f54b0fe25b8
CRS-Fixed: 2330943
In extract_roam_scan_stats_res_evt_tlv(), validate
num_roam_scans to avoid any possible integer overflow
when receive larger num_roam_scans value.
Change-Id: I0f3bbf64fac8c151789de2f93a77c9af29b855d1
CRs-Fixed: 2331868
the fixed_param TLV structure is pulled from the WMI message and
assigned to chan_list_event_hdr. num_2g_reg_rules and
num_5g_reg_rules are assigned from the TLV structure, then passed
to create_reg_rules_from_wmi without length check, out of buffer
may happen.
Change-Id: I70c9d74ef94161896e1c7700c73943040f3a77e1
CRs-Fixed: 2327667
While extracting green ap egap status info there is no
sanity check for egap info event and chainmask event which may
lead to NULL pointer access.
To prevent this NULL pointer access add a sanity check for
egap info event and chainmask event.
Change-Id: Ib9cc273f12bb159bce309065279230e96925be7f
CRs-Fixed: 2331873
This commit contains the following changes related to FR49350:
usenol pdev param declaration and implementation of wmi cmd to send
the param to FW.
Failure status code declaration for scan and vdev start.
CRs-Fixed: 2328894
Change-Id: I5d3bfe758aeb9907193b6f626582b70413f5381c
Change the wmi_pdev_stats structure to wmi_pdev_stats_v2 structure.
This change is needed because of corresponding change made in FW
for renaming the structure.
Change-Id: I6dd3abd61730d8f17d74a11a42978a64853136e5
In the existing converged component, WMI TLV APIs are implemented in
a generic manner without proper featurization. All the APIs exposed
outside of WMI are implemented in wmi_unified_api.c and all the APIs
forming the CMD or extracting the EVT is implemented in wmi_unified_tlv.c.
Since WIN and MCL have a unified WMI layer in the converged component and
there are features within WIN and MCL that are not common, there exists a
good number of WMI APIs which are specific to WIN but compiled by MCL and
vice-versa. Due to this inadvertent problem, there is a chunk of code and
memory used up by WIN and MCL for features that are not used in their
products.
Featurize WMI APIs and TLVs that are specific to MCL -
- DSRC
- NAN
- P2P
- PMO
- roaming
- concurrency
- STA
- Generic MCL specific WMI (STA)
Change-Id: I03a68b0db30a3aa585b269ab0a1745b37bc7e0b7
CRs-Fixed: 2316935
Chain mask tables number is from wmi service ready ext event, it is
not check valid which will cause oob read arry of chain mask tables.
Change-Id: I2fa0251358ed66d928477c0b55933ca028c8bd53
CRs-Fixed: 2331850
In extract_reg_11d_new_country_event_tlv(), the
reg_11d_country_event->new_alpha2 buffer from the original WMI
message is copied into reg_11d_country->alpha2. Will only copy
REG_ALPHA2_LEN bytes into a buffer that REG_ALPHA2_LEN +1 bytes.
then reg_11d_country->alpha2 buffer is printed as a string.
Because the original reg_11d_new_country structure in
tgt_reg_11d_new_cc_handler() was allocated on the stack and
not initialized, there is no guarantee that the buffer is
NULL terminated. Due to this the WMI_LOGD() call will result in
an OOB issue when printing the buffer.
Change-Id: I20b0044974438d95e4c09f843db2a7f369c9b85d
CRs-Fixed: 2327718
In the call to QDF_TRACE_HEX_DUMP in extract_ndp_confirm_tlv(),
the buffer, event->ndp_cfg is dereferenced an additional time
and then read the length number of bytes in hex_dump_to_buffer,
resulting in an OOB read.
As WMI logging is already enabled, remove the hex dump.
Change-Id: I6a866e87dd80f3e41cf3c699ff4846416d309cf3
CRs-Fixed: 2326012
Bufp and buf_len are populated in extract_comb_phyerr_tlv
without validating the buf_len which can cause possible
out of bound access in dfs_phyerr_event_handler.
Fix is to validate the buf_len against num_bufp in param_tlvs.
Change-Id: I95e18d7600f8419f31e768fcc18c3024fe37b7db
CRs-Fixed: 2321371
While handling WMI_GTK_OFFLOAD_STATUS_EVENTID, QDF_BUG()
can occur in pmo_tgt_gtk_rsp_evt->pmo_psoc_get_vdev if
vdev_id is out of range. As the value is directly from
WLAN FW and can be outside the trust boundary.
Add sanity check for vdev id once get parameter from
wlan fw.
Change-Id: I335df52fece39c1a51a556ba4678bd43f470673a
CRs-Fixed: 2321523
Add host WMI support for EAPOL minrate resource configuration.
Through the use of the global.ini configuration parameter -
eapol_minrate_set and eapol_minrate_ac_set, the user can set EAPOL
frames to be sent in minimum rate in tunnel mode. In addition to
this, the user can also select between the 4 ACs (BE, BK, VI, VO)
to send the EAPOL frames.
The changes are reflected in the target resource config which
is sent to the firmware.
Change-Id: Ib9a264b64305bf43708c3c2af3ff254b6cc28477
CRs-Fixed: 2298020
Update WMI_NDL_SCHEDULE_UPDATE_EVENTID handling for possible out
of bounds read when fixed_params->num_channels is greater than
TLV length of NDL channel list or NSS list and fixed_params->
num_ndp_instances is greater than TLV length of NDP Instance list.
Change-Id: Idbd74e30868597c9787095372516b7d7dd12481b
CRs-fixed: 2327673
Update handling of WMI_NDP_CONFIRM_EVENTID for possible out of
bounds read when fixed_params->num_ndp_channels is greater than
TLV length of NDP channel list or NSS list
Change-Id: I3bf429a47c46edbb464cf8447f227f7baa74fbe3
CRs-fixed: 2325849
In the existing converged component, WMI TLV APIs are implemented in
a generic manner without proper featurization. All the APIs exposed
outside of WMI are implemented in wmi_unified_api.c and all the APIs
forming the CMD or extracting the EVT is implemented in wmi_unified_tlv.c.
Since WIN and MCL have a unified WMI layer in the converged component and
there are features within WIN and MCL that are not common, there exists a
good number of WMI APIs which are specific to WIN but compiled by MCL and
vice-versa. Due to this inadvertent problem, there is a chunk of code and
memory used up by WIN and MCL for features that are not used in their
products.
Featurize WMI APIs and TLVs that are specific to WIN
- Air Time Fareness (ATF)
- Direct Buffer Rx (DBR)
- Smart Antenna (SMART_ANT)
- Generic WIN specific WMI (AP)
Change-Id: I7b27c8993da04c9e9651a9682de370daaa40d187
CRs-Fixed: 2320273
NAN vdev ref count incremented as part of end_ind handler
is not released which will result in the nan vdev not
getting physically deleted.
Fix is to release nan vdev ref in os_if_ndp_end_ind_handler.
Change-Id: I31a32fa241fb9e86d3a64d490722bc42905970c4
CRs-Fixed: 2325580
Due to change in Opclass calculation in the new
regulatory component invalid opclass is returned for the
TDLS component. Update arguments to calculate opclass correctly
to regulatory component.
Change-Id: I062bbb55d283f9525da241d32177e26d07aa8590
CRs-Fixed: 2325834
Fix the possible out of bound access while processing the
channel avoid frequency event from FW.
Change-Id: Ib49df0ebd785944b7cbbfa5927613887dd35d9ff
CRs-Fixed: 2308629
Add bound check rssi_event->num_per_chain_rssi_stats in
extract_all_stats_counts_tlv().
ev->num_chain_rssi_stats in
target_if_cp_stats_extract_vdev_chain_rssi_stats()
is derived from rssi_event->num_per_chain_rssi_stats
and is used as limit in for loop.
As length was never checked multiple qdf_mem_copy calls in
wmi_extract_per_chain_rssi_stats() used in
target_if_cp_stats_extract_vdev_chain_rssi_stats()
will result in an OOB issue.
Change-Id: I204744e1435e687e33f2165744a92cdb8b975a51
CRs-Fixed: 2322298
Separate WMI MGMT RX event logging from main WMI event
logging because WMI MGMT RX event is too frequent and its
over-running useful WMI control path events.
Change-Id: Iacd1576c3e133b70224e45f589f566c73637a626
CRs-Fixed: 2318021
FW generates too many diag events and these diag events
also come on CE-2 together with other critical control
path WMI events and easily over-run useful control path
WMI RX even log buffer. Separate WMI diag rx event loggig
in a separate log buffer such that useful control path WMI
log event buffer is not over-run.
Change-Id: I89b5d88036bc9d7e57e8e16858bc556be4e2ed41
CRs-Fixed: 2318083
Use WMI layer tdls_offchan_mode enum value while sending tdls
offchannel mode request to FW.
Change-Id: I3faee2d22ab2bcbf99918d46eeeb5b5bbe925048
CRs-Fixed: 2320796
Register WMI with wbuff for pre-allocation of
skbs. Register at wmi_unified_attach() and
de-register at wmi wmi_unified_detach().
Change-Id: I9d6df1a8480324dd2a258de12672669a8fbe8940
CRs-Fixed: 2313935
Create and send user configurable ini for max number of roam preauth
retries and roam preauth no-ack timeout to the firmware.
Change-Id: I0343cb29952286d9b42a69136fc6353cd86e4752
CRs-Fixed: 2286079
wmi_mtrace is defined as static in wmi_unified_tlv.c and
used in TLV functions, but some TLVs need to be featurized
and moved to separated TLV files. Need to export wmi_mtrace
for external use.
Change-Id: I9459ec01c9cd4a89f3544d6a9831acba56e6a278
CRs-Fixed: 2314779
No data length check when extract control panel stats of pdev,
vdev and peer etc, may result in buffer overflow.
Fixed param of cp stats indicates numbers of pdev, vdev and peer
etc in cp stats. Need do length check to make sure actual tlv
data length is same as expected.
Change-Id: I8750d4e10048930222059897a24804e9f2c91ab5
CRs-Fixed: 2305421
WDS entry should be removed before adding peer with same mac address.
iIn DBDC mode, this can be ensured only by waiting for response for WDS
delete from FW before creating peer. Add logic to defer AUTH until WDS
is removed from FW.
Change-Id: Ie76d08c4817f953504913ae6cc49fc5388169e4a
CRs-Fixed: 2270592
Host changes to enable HTT version 2 messaging for
PEER map and unmap in FW and changes to handle these
messages in host
Change-Id: Ifbe478212bbbc9c9ea1c1e4791c7a78407c376cc
Update handling of WMI_SAR_GET_LIMITS_EVENTID for a possible OOB that
can occur if param_buf->fixed_param.num_limit_rows is greater than
actual TLV length of param_buf->sar_get_limits array.
Change-Id: Iccacbb3689e6a7bdd73b2b1f0517d011ccf6d076
CRs-fixed: 2307276
Make the HECAP and HEOP changes for 11ax Draft3.0.
Draft2.0 support can still be enabled by unsetting
SUPPORT_11AX_D3 in config.unified.wlan.profile.
Change-Id: I0c0fd885a43b672baca61011b75a51526481b1ee
CRs-fixed: 2294235
We are transitioning to new logging infrastructure
by using existing mtrace functionality.
Add new logging for complete WMI module.
Change-Id: Ifbc81a6f119ff63b69e3558ad7becb1eaefae8ca
CRs-Fixed: 2301964
For qdf_mtrace 15 bits are reserved for message id and currently
WMI message IDs are getting used as 32 bit IDs.
Write a wrapper function which accepts 32 bit message IDs and
converts this 32 bit message id to 15 bit by extracting
WMI_GRP_ID and WMI_MESSAGE_ID in that group. New 15 bit
message ID for qdf_mtrace will be constucted as 8 bits
(From LSB) specifies the WMI_GRP_ID and remaining 7 bits
specifies the actual WMI command. With this notation there
can be maximum 256 groups and each group can have max 128
commands which can be supported.
Change-Id: Ia5adfc079b63c2311bdc8ae4c73488d89afd462f
CRs-Fixed: 2298877
Add wmi layer support to get firmware roam scan statistics which includes
scoring of roam candidates, channels, old and new bssids etc.,
Change-Id: I3a0aafbe66d12eea40e71ceb4c7c3a60b9d6e04f
CRs-Fixed: 2203904
The function extract_pdev_utf_event_tlv, is called when the WMI
event WMI_PDEV_UTF_EVENTID is received. The event_buf
argument to it is fully FW controlled. There is an assumption
that the WMI message is at least the size of struct
wmi_host_utf_seg_header_info which could lead to OOB read issues
when a shorter message is sent.
Add fix to validate the event->datalen passed against
sizeof(struct wmi_host_utf_seg_header_info) before copying to
seg_hdr.
Change-Id: I1a8313f11013722edb601c009e59b1509fda3280
CRs-Fixed: 2305465
There is possible to read buffer overflow. Since it don't check number
of NOA descriptor when handling WMI_P2P_NOA_EVENTID.
Change-Id: I08fc3ac429bc19a8df7ac429fbe779fa3b227318
CRs-Fixed: 2307321
