In function add missing check for regulatory domain before assuming
channel 120-130 to be ETSI weather channel.
Change-Id: Ief9761b5ac06a511a4132f71c0a63c796741149d
CRs-Fixed: 2150264
__wlan_hdd_cfg80211_do_acs mallocs memory of
adapter->session.ap.sap_config.acs_cfg.ch_list
without checking and free original memory.
If hostapd is killed by -9, and interface wlan0 keep on.
wlan_hdd_cfg80211_stop_ap and wlan_hdd_undo_acs isn't called,
acs_cfg.ch_list memory isn't freed.
if hostapd is started again, __wlan_hdd_cfg80211_do_acs is called again,
malloc memory of acs_cfg.ch_list again, last malloced memory is leaked
Change-Id: Ia45615aa75841381b13a2f779cb5d355526d78a2
CRs-Fixed: 2150040
During starting of SAP, after extracting the pointer to the country IE,
country code is copied without proper IE length validation. A smaller
than accceptible IE length can cause out of bound memory access.
Validate length with with the minimum acceptible length before copying.
Change-Id: Ie2115bdbd22badd51ea40d028331ef1a74b02281
CRs-Fixed: 2150285
qcacld-2.0 to qcacld-3.0 propagation
There can be a possible race in updation of roam substate
between csrRoamWaitForKeyTimeOutHandler and upper layer
disconnect in csrRoamIssueDeauth. Race can be as follows.
Driver roam substate is eCSR_ROAM_SUBSTATE_WAIT_FOR_KEY by
the time csrRoamWaitForKeyTimeOutHandler is invoked. This
can allow check CSR_IS_WAIT_FOR_KEY to pass. If MC thread
gets preempted and if driver processes upper layer disconnect,
then driver changes roam substate to eCSR_ROAM_SUBSTATE_DEAUTH_REQ
in csrRoamIssueDeauth. When MC thread resumes processing of
csrRoamWaitForKeyTimeOutHandler, then driver changes roam
substate to eCSR_ROAM_SUBSTATE_NONE. This can result in
unhandling of eWNI_SME_DEAUTH_RSP as roam substate is not in
eCSR_ROAM_SUBSTATE_DEAUTH_REQ and can result in active command
timeout. Hence, update roam substate atomically in same context
if CSR_IS_WAIT_FOR_KEY passes in csrRoamWaitForKeyTimeOutHandler.
Change-Id: I05cfc8de54fe4196df941c2fd48db8bedc7df779
CRs-Fixed: 2155141
When the SSR and interface down happen in parallel,
the driver rejects the interface down since the
recovery is in progress. Kernel ignores the -EAGAIN
request from the driver and as part of NET_DOWN notification
in cfg80211_netdown_notifer the kernel invokes the
___cfg80211_scan_done to free the request but dosen't not send
scan_result indication, since it expects the scan_done work to
get scheduled and then broadcast the request to upperlayer.
Change-Id: Id698044ebe30cf555300e909a916d74be1f8b94f
CRs-Fixed: 2115392
Fix implicit conversion from enumeration type 'tSirRFBand'
to different enumeration type 'eCsrBand'
Currently 3 different types of enums exist to enumerate the
band type.Remove eCsrBand and tSirRfBand and
use tSirRFBand everywhere.
Change-Id: I1862c6d3a5daca7523870b7f0931ee4f20c7ce4f
CRs-Fixed: 2145080
Fix implicit conversion from enumeration type
'enum eSirMacStatusCodes' to different enumeration type
'tSirResultCodes' in function __lim_process_sme_assoc_cnf_new().
Change-Id: I1179014e3a190427f6bbfcbc62a3b82f0b187a0f
CRs-Fixed: 2145080
Regpair for country AR and CL are missing which results in a crash.
Add regpair for country AR and CL.
Change-Id: I219e92cc09d6237774f87f8d0a75d2ddea5d59ef
CRs-Fixed: 2154123
In function lim_parse_kde_elements, elem_len is obtained from the
assoc response IE buffer and is used to decrement rem_len in the
while loop. If the value of elem_len is greater than rem_len, an
integer underflow would happen to rem_len leading to buffer overread.
Also, if elem_len is greater than kde_list_len, a buffer overread
would occur when incrementing the temp_ie pointer.
Add sanity check to make sure elem_len is not greater than
kde_list_len or rem_len.
Change-Id: If126bb0e14b57f3594679b91d54cc0f1ffaa6f66
CRs-Fixed: 2152946
Check if the FILS information is valid by checking for
non-zero length for all the parameters and then proceed
with the connection
Change-Id: I8e24afd7e1d9f4b2107e7f6efc0455b40aecd087
CRs-Fixed: 2132562
When dual band mode for SAP is enabled from UI, the packet
for 2G SAP will be dropped before dfs cac finishes.
Adjust channel check to avoid pkt drop in lim_handle80211_frames.
1 non-sbs mode, bypass 2g channel packet
2 sbs mode, bypass non dfs channel packet
Change-Id: Ib292fa3d6366fd7ea045480f61ce1890ac8c320a
CRs-Fixed: 2132883
Currenly for Scan for SSID failure case, roam_info is not passed to
hdd_association_completion_handler leading to driver not sending
FILS seq num info to the supplicant. This makes the supplicant to
trigger a full EAP connection instead of FILS in the next connect.
Pass roam_info from csr_scan_handle_search_for_ssid_failure to
hdd_association_completion_handler and populate and send FILS seq
number info to supplicant.
Change-Id: I4e0a4c3cb55a286b1c66424f6b3a61c020c522a0
CRs-Fixed: 2146342
