In function add missing check for regulatory domain before assuming
channel 120-130 to be ETSI weather channel.
Change-Id: Ief9761b5ac06a511a4132f71c0a63c796741149d
CRs-Fixed: 2150264
__wlan_hdd_cfg80211_do_acs mallocs memory of
adapter->session.ap.sap_config.acs_cfg.ch_list
without checking and free original memory.
If hostapd is killed by -9, and interface wlan0 keep on.
wlan_hdd_cfg80211_stop_ap and wlan_hdd_undo_acs isn't called,
acs_cfg.ch_list memory isn't freed.
if hostapd is started again, __wlan_hdd_cfg80211_do_acs is called again,
malloc memory of acs_cfg.ch_list again, last malloced memory is leaked
Change-Id: Ia45615aa75841381b13a2f779cb5d355526d78a2
CRs-Fixed: 2150040
During starting of SAP, after extracting the pointer to the country IE,
country code is copied without proper IE length validation. A smaller
than accceptible IE length can cause out of bound memory access.
Validate length with with the minimum acceptible length before copying.
Change-Id: Ie2115bdbd22badd51ea40d028331ef1a74b02281
CRs-Fixed: 2150285
qcacld-2.0 to qcacld-3.0 propagation
There can be a possible race in updation of roam substate
between csrRoamWaitForKeyTimeOutHandler and upper layer
disconnect in csrRoamIssueDeauth. Race can be as follows.
Driver roam substate is eCSR_ROAM_SUBSTATE_WAIT_FOR_KEY by
the time csrRoamWaitForKeyTimeOutHandler is invoked. This
can allow check CSR_IS_WAIT_FOR_KEY to pass. If MC thread
gets preempted and if driver processes upper layer disconnect,
then driver changes roam substate to eCSR_ROAM_SUBSTATE_DEAUTH_REQ
in csrRoamIssueDeauth. When MC thread resumes processing of
csrRoamWaitForKeyTimeOutHandler, then driver changes roam
substate to eCSR_ROAM_SUBSTATE_NONE. This can result in
unhandling of eWNI_SME_DEAUTH_RSP as roam substate is not in
eCSR_ROAM_SUBSTATE_DEAUTH_REQ and can result in active command
timeout. Hence, update roam substate atomically in same context
if CSR_IS_WAIT_FOR_KEY passes in csrRoamWaitForKeyTimeOutHandler.
Change-Id: I05cfc8de54fe4196df941c2fd48db8bedc7df779
CRs-Fixed: 2155141
When the SSR and interface down happen in parallel,
the driver rejects the interface down since the
recovery is in progress. Kernel ignores the -EAGAIN
request from the driver and as part of NET_DOWN notification
in cfg80211_netdown_notifer the kernel invokes the
___cfg80211_scan_done to free the request but dosen't not send
scan_result indication, since it expects the scan_done work to
get scheduled and then broadcast the request to upperlayer.
Change-Id: Id698044ebe30cf555300e909a916d74be1f8b94f
CRs-Fixed: 2115392
Fix implicit conversion from enumeration type 'tSirRFBand'
to different enumeration type 'eCsrBand'
Currently 3 different types of enums exist to enumerate the
band type.Remove eCsrBand and tSirRfBand and
use tSirRFBand everywhere.
Change-Id: I1862c6d3a5daca7523870b7f0931ee4f20c7ce4f
CRs-Fixed: 2145080
Fix implicit conversion from enumeration type
'enum eSirMacStatusCodes' to different enumeration type
'tSirResultCodes' in function __lim_process_sme_assoc_cnf_new().
Change-Id: I1179014e3a190427f6bbfcbc62a3b82f0b187a0f
CRs-Fixed: 2145080
Regpair for country AR and CL are missing which results in a crash.
Add regpair for country AR and CL.
Change-Id: I219e92cc09d6237774f87f8d0a75d2ddea5d59ef
CRs-Fixed: 2154123
In function lim_parse_kde_elements, elem_len is obtained from the
assoc response IE buffer and is used to decrement rem_len in the
while loop. If the value of elem_len is greater than rem_len, an
integer underflow would happen to rem_len leading to buffer overread.
Also, if elem_len is greater than kde_list_len, a buffer overread
would occur when incrementing the temp_ie pointer.
Add sanity check to make sure elem_len is not greater than
kde_list_len or rem_len.
Change-Id: If126bb0e14b57f3594679b91d54cc0f1ffaa6f66
CRs-Fixed: 2152946
Check if the FILS information is valid by checking for
non-zero length for all the parameters and then proceed
with the connection
Change-Id: I8e24afd7e1d9f4b2107e7f6efc0455b40aecd087
CRs-Fixed: 2132562
