Currently, while parsing scan RNR Ie data is moved to
next neighbor_ap_info_field after parsing the current
neighbor_ap_info_field. But in last iteration pointer may
try to access invalid data if (uint8_t *)ie + rnr_ie_len + 2)
bytes are less than sizeof neighbor_ap_info_field and same
is the case with tbtt_length access.
Fix is to add a length check of data + next data size to be parsed
< (uint8_t *)ie + rnr_ie_len + 2) instead of adding a validation
of data length only.
CRs-Fixed: 3710080
Change-Id: I05e5a9a02f0f4f9bc468db894588e676f0a248c0
In malformed beacon frame may deference the NULL pointer while
parsing MBSSID IE in util_scan_parse_mbssid will lead to crash.
Add check in util_scan_parse_mbsssid for split_prof_start before
passing to util_gen_new_ie and assign zero to split_prof_len
whenever split_prof_start freed to avoid unanticipated scenario.
Change-Id: Ibb9739d6b5d1775ab52d59f9aa5050ca693cd926
CRs-Fixed: 3717571
If the length of the MBSSID IE is 0, then there is a potential
OOB read in util_scan_parse_mbssid(), when the Max BSSID indicator
field is accessed.
To fix this, do not proceed with MBSSID parsing if the length
of the MBSSID IE is zero.
Change-Id: I2c7a7641b77fed20a910cb77035588a7540caa62
CRs-Fixed: 3717567
If the tag length in next_elem is some invalid high value then the
existing length check can still pass and lead to the OOB access.
Add an OOB check w.r.t total IE length to ensure it has the
minimum number of bytes in the buffer.
Change-Id: I9778a3e0ced05d3246d91e23c2a47f7318634d75
CRs-Fixed: 3717566
2 GHz link CCFS may not filled correctly in vht/he op, wrong CCFS0
is got from util_scan_sec_chan_freq_from_htinfo and passed to kernel,
regulatory check failed, disconnect will happen.
To fix it, add new API util_scan_ccfs0_from_htinfo, and get CCFS0 by it.
Change-Id: I0e8879f13cff37b85cffb6446cc15c60c05465d2
CRs-Fixed: 3739815
Currently, in the driver, the minimum MBSSID IE length value
in the driver is set to 4. Some APs advertize this value as
1. In such situations, driver fails to parse the the ie.
So, to avoid such cases, modify the minimum mbssid ie length
value to 1.
Change-Id: I6ef89706b95318cb9bd38e04cab56b0fdef99fd5
CRs-Fixed: 3684794
Currently, in function "util_get_ml_bv_partner_link_info" driver
access the ML IE memory with offset which is calculated from ML IE
length and increment this offset with other values (such as
perstaprof_stainfo_len). But this can lead to OOB for ML IE when
this offset value is increment beyond ML IE length.
So, to fix this, add check for offset before accessing ML IE.
Change-Id: Ie7312ab3379fce16e5b0f83d07d46f263f774ed8
CRs-Fixed: 3710085
Currently, In the MLO t2lm API, wlan_mlo_parse_bcn_prbresp_t2lm_ie
is missing frame boundary checks which may lead to out-of-bound
reads if the lengths are not checked by the caller.
Fix is, while parsing t2lm ie pass the frame length and add
check for frame boundary.
CRs-Fixed: 3704739
Change-Id: If3068db3489ee1c9a9da4945407598e27e3ca276
While parsing ESP IE from beacon/probe response frame,
the condition in loop to copy ESP_INFO from the ESP IE is
incorrect which will iterate for 5 times rather than 4 times,
this may cause OOB access.
data < ((uint8_t *)esp_ie + esp_ie->esp_len + 3)
Here adding 3 for esp_ie->esp_len, actually esp_len itself is
1 byte extra (esp_ len = ESP_ID_EXTN + ESP_INFO * 4),
but by adding 3 again will loop for one more iteration
this will cause OOB access.
Remove 3 in loop condition to avoid one more extra iteration
and ignore ESP_ID_EXTN element for total elements, in function
util_scan_update_esp_data.
Change-Id: Ia9226e483672369af36c6914e3ac914fe9de45e5
CRs-Fixed: 3710081
Currently, while generating non-TX VAP scan entry from the
TX VAP beacon or probe response MBSSID IE, driver copies
the ML IE from MBSSID and main frame which lead to 2 ML IE
in the TX VAP frame.
Fix is, add proper check to copy the non-TX VAP ML IE from
MBSSID IE.
CRs-Fixed: 3708786
Change-Id: I93f2552fe8a0080ffc871b39b164fadd86df8ff0
Each link in MLO can have different RSN capabilities with
different AKMs, PMF capability, UC/MC cipher suites and so on.
For any choice of links for MLO connection, the AKMs of the
links should have one common AKM.
Eliminate partner links without overlapping AKMs from MLO
connection.
Modify partner link AKM to match assoc link AKM, so that
only overlapping AKM is chosen even though an AKM with
higher security exists for partner link.
Change-Id: I9573e938789a4b95ae824872845d31008861f6f2
CRs-Fixed: 3693814
For non-TxMBSSID ML AP ML probe req may not receive any response
from MBSSID AP and later partner link may fail to connect as
scan entry is not present.
Introduce new flag to suggest whether the partner link scan entry
is present or not in the scan DB. If flag is set to true, generate
scan entry for such links.
Introduce new APIs which will generate ML probe resp using
the per-STA profile of partner link from assoc resp frame.
Introduce API to get the current candidate scan entry from
connect request.
Change-Id: I1c33956b01eb468afa26be5b0bfba634ee3a0aee
CRs-Fixed: 3675830
Wireless environment may have APs with same BSSID but different
MLD address and if any APs BSSID is similar to the current
candidates affiliated partner link BSSID, then receiving beacon
or probe resp from such APs will override the affiliated link's
scan entry and the MLD address may be different or NULL if the
AP is non-ML.
If link VDEV connection starts and during candidate selection
it may find the scan entry of this other AP and attempt to drive
connection will lead to creating ML link VDEV's peer with
different MLD address than assoc VDEV's peer.
Enhance scan filter to match MLD address for link VDEV to avoid
such scan entry override.
Change-Id: I11c9b4efdf2d60e92482b296d731d613a200bf0e
CRs-Fixed: 3668326
Currently if the TBTT length is more than max supported length
driver doesn't the mld information from the RNR IE. This leads
to SLO rather than MLO.
Add the fix to restrict the max length to current supported max
length which helps to parse the ML information further
results in ML association.
CRs-Fixed: 3679296
Change-Id: Id8c58044be162f638ed5e74e0fd04aa0b77780f5
In order to identify certain vendor APs, it generated
AP beacon from MBSSID nonTx profile shall include these
Vendor Specific IEs (VSIEs).
If any matching VSIE of interest is present, copy the
IE to generated frame.
Change-Id: Ic3566ad0123c7353d7ace1b0077d6a3730d10dc8
CRs-Fixed: 3682937
Currently, scan on same mac channel is not allow where
LL_LT_SAP is present.
But as part of this change, allow scan on same mac channel
where LL_LT_SAP is present.
Change-Id: I0c781caa70bf5c95c0639218dd08a409ebeefbfc
CRs-Fixed: 3636119
STA info length subfield of STA info field indicates the number of
octets in the STA Info field, including one octet for the STA Info
Length subfield.
In the current implementation, one extra byte is added to STA info
length subfield to access STA profile subfield. Due to this, unable
to extract CSA, ECSA and MCST IEs from the STA profile.
To fix this, don't add WLAN_ML_BV_LINFO_PERSTAPROF_STAINFO_LENGTH_SIZE
to offset field to access the STA profile subelement.
Change-Id: I99fb3c5d1bfb9b3bf414fc0b778d724e98a3c7ae
CRs-Fixed: 3640538
Add a cfg set API to configure scan mode for 6 GHz. This is
invoked in reset HE capability API.
Change-Id: If4891036dec3777d85f3584eef965ed65ececadd
CRs-Fixed: 3629445
In the MLO-MBSSID test, STA can request information of
non-Tx BSS through Tx BSS by configuring non-Tx BSS MLD
ID within the ML probe request that is invoked as part
of scan request. Add support to configure MLD ID in
scan start params to FW.
Change-Id: I4a6debf6c3ec830fbe3aee1d3aa60ad7218cbcd6
CRs-Fixed: 3591596
Currently, below 11BE RNR TBTT field doesn't get processed when
11BE is not defined,
TBTT_NEIGHBOR_AP_BSSID_S_SSID_BSS_PARAM_20MHZ_PSD_MLD_PARAM
So, station is not able to parse the RNR IEs from the 11BE APs.
Parse TBTT_NEIGHBOR_AP_BSSID_S_SSID_BSS_PARAM_20MHZ_PSD_MLD_PARAM
always but extract 11be info only when 11BE define is enabled.
Also, cleanup the duplicate code.
Change-Id: I49e38875f3f0a3ab238636f7a8e0f93c7aa4d04b
CRs-Fixed: 3624227
Currently, default value of last_scan_ageout_time ini is 0 sec.
Modify it to 30 sec to avoid dependency on userspace
configuration.
Change-Id: If0d00c98950a0c20f22ee73d01e4442bd0d677c0
CRs-Fixed: 3625696
Adding memory not allocate debug print when fail to allocate
memory for scan node
Change-Id: I77c9a3deeb9fff9fd265188060ff3aa3aa17b866
CRs-Fixed: 3611905
In the scenario about MLO 5 GHz + 6 GHz and 6 GHz is non-tx AP in
MBSSID, if DUT tries to connect 5 GHz link as assoc link and uses
the scan entry generated from 5 GHz beacon. Then there is no info
about profile index and count in the scan entry and these info is
necessary for firmware when vdev up.
To resolve this issue, get the info from 6 GHz scan entry if it
exists.
CRs-Fixed: 3616899
Change-Id: Ic9bf9bc107c3486be1e87ea2c19c5d388ca41883
Host needs to check new scan is enabled on device before
sending scan request.
Changes are as follows:
-Add new scan bit to scan obj.
-Fetch new scan service bit from FW.
-Update new scan in scan obj based on service bit from FW.
Change-Id: I19d874e859208dcdb2476e0fd2fbd61fcc77e565
CRs-Fixed: 3509136
When generating MBSSID beacon/probe response frames, it
misses the last IE in the MBSSID ie list. To address it,
correcting the comparing length.
CRs-Fixed: 3609711
Change-Id: Ia406be0ade901c9bc01698faec473bd25c59dfb3
Include Extended MLD Capabilities & Operations subfield size
calculation in the calculation of Common Info Length of the
Basic Variant ML-IE parsing
Change-Id: I8fea9058dc37b7605827ef827a3ccba71be00982
CRs-Fixed: 3590364
For multi link connection there might be the case where
rsnxe of the AP is not present on the link vdev.
This causes the link vdev alone to downgrade to 11ax
mode and assoc vdev is in 11be dot11 mode.
So for vdev with ML peer, the dot11mode is 11ax,
which causes abnormal firmware behavior.
Reject the partner link that doesn’t pass the security
check and validate the next available partner link.
if none of the partner link passes the security check,
proceed connection with single link.
Change-Id: I080557027180c0566a1c284a93fcc4b69c61a9c8
CRs-Fixed: 3581189
In some scenario, mbssid_info->prof_residue could be set to
true, hence mbssid_info->split_prof_continue will also be
set to true. Then for the next loop if buffer split_prof_start
is freed but split_prof_end does not reinitialize to NULL,
then use-after-free happens.
To address this issue, reinitialize split_prof_end properly
when split_prof_start is freed.
Change-Id: Iad7448868cfa4c2dd7922f6c1b2622cf20a6a28c
CRs-Fixed: 3583521
Currently PM_LL_LT_SAP_MODE is not handled in policy manager.
With this change add support for PM_LL_LT_SAP_MODE in the policy
manager.
Change-Id: I7b893b04498957eb4a7e9f74c4b4395d4a823bf9
CRs-Fixed: 3536612
APs can broadcast support for 20 & 40 MHz in the
HT cap IE and operate in 20 MHz also.
Therefore, use the extension channel offset field
of the HT info IE to identify the bandwidth of the
BSS.
Change-Id: I9987d45ec34ba3327b43ef70eb891d346e9e78c9
CRs-Fixed: 3587792
In api wlan_scan_start(), redundant check for
scan_start_req is observed in some static analysis
tool.
Remove the redundant check in the ap
wlan_scan_start() as the check is present in the
api scm_scan_free_scan_request_mem
Change-Id: Ic320bb95253668310c5d738216daba62ba2f4b3f
CRs-Fixed: 3528505
Currently, during scanning, while parsing the received beacons,
the beacon IEs are checked to verify whether the channel
present in the beacon is invalid. If the channel is found to be
invalid, the corresponding beacons are dropped. This check treats
the channels in the NOL list as invalid channels.
Consider a case of a repeater with RCSA enabled; when the RE
detects a radar, the RE adds the radar detected channels to
NOL and sends an RCSA action frame to the Root AP to intimate
the Root about the radar detection. The RE will also wait for the
Root to send CSA to RE. But in this case, the RE will not parse
the CSA IE received from the Root, as the beacons from the Root
AP are dropped, as the channel present in the beacon is
considered invalid.
The purpose of the channel validity check in the beacon parsing is
to avoid receiving beacons from an invalid channel, that is, the
channels that are not supported by the device. Since NOL channels
are valid, we can parse the beacons received from an NOL channel.
Therefore, to fix this issue, use the regulatory API
'wlan_reg_is_freq_enabled' instead of the API
'wlan_reg_is_disable_for_pwrmode' to check if the channel is
invalid.
The API 'wlan_reg_is_freq_enabled' treats NOL channels as valid
channels.
Change-Id: Iad502363c0ad15be2a009480c49bffcf8e004943
CRs-Fixed: 3513560
For mlo 5+6, 6 GHz band score is higher than 5 GHz, so 6+5 total score is
higher than 5+6, 6+5 is always selected before 5+6 even 6 GHz link score is
much worse than 5 GHz.
To fix it, calculate each link score for each MLO AP, if assoc link is
best link, add a boost score, then it can be selected first.
Update band weight and score for both SLO and MLO, select average of link
band score as MLO band score.
Change-Id: If0714fa94031d5746d89388917540f0e34086d86
CRs-Fixed: 3483850
Currently if MLO connection fails then connection is tried
with same link until it reaches to maximum no of trials but
connection is not tried with same assoc link by changing partner
link or with SLO.
So, when vendor roam score algorithm is enabled, add logic to try
MLO connection again by reducing number of partner links with
each retry till SLO connection is tried.
Change-Id: Ic0e3acd2198cfa0ed0ff893da6ae32d669d32a41
CRs-Fixed: 3521159
Optimize scan logs while dropping frame to print frame type
and freq and other info and use same format to print.
Also If bssid hint is zero, avoid printing hidden bssid which
are filtered out.
Change-Id: Ibb6cb523b9be6af2c05c4a5a7a5cbccb44f984af
CRs-Fixed: 3506377
For MBSSID case, ML IE does not contain full per-STA profile info
in MBSSID IE. When generating the beacon and probe response frame
for MBSSID case, it needs to copy the ML IE info from main frame.
Change-Id: Id369d08772f11a5f0f838351b5b76ecce3762c55
CRs-Fixed: 3479932
Host parse newely added vendor command
QCA_NL80211_VENDOR_SUBCMD_CONNECTED_CHANNEL_STATS and trigger
scan to get connected channel stats from FW in case of MLO
connection.
On scan done host sends scan done indication to upper layer
via QCA_NL80211_VENDOR_SUBCMD_CONNECTED_CHANNEL_STATS vendor
command.
Change-Id: I92dbd779c5fbdb1652a37cfa54c177bd13de4f28
CRs-Fixed: 3491060
Optimize beacon/probe rsp logs, by printing the params when
their values are non 0. Thus reducing the logs size.
Also add the frame length in the logs.
Change-Id: I6cad77b6cdc4576804cdabd9f53235029e6cebd7
CRs-Fixed: 3490632
scan db has intersected phymode. For BSS information via iwlist we need
non intersected phymode.
Change-Id: I62a4aea33a67ac12b5be5bcdd4a3fc4538056df9
CRs-Fixed: 3454700
1. Read the new service capability:
WMI_SERVICE_CCA_BUSY_INFO_FOREACH_20 MHz: Via this host knows
whether FW supports reporting of CCA busy info for each 20 MHz
subband of wideband scan channel or not.
WMI_SERVICE_VDEV_PARAM_CHWIDTH_WITH_NOTIFY_SUPPORT: Via this
host knows whether FW supports VDEV param channel width switch
with OMN/OMI notification or not
2. Register osif callback to send scan done indication to upper
layer
3. Add 2 new scan flags pause_home_channel and
report_cca_busy_for_each_20 MHz
Change-Id: I63d561a3c5f8e49a3ca42d956e6b630c63edeaf4
CRs-Fixed: 3460901
If PMKID present in AP expires, AP rejects the PMKID based association.
Current design is to clear the cache using BSSID/MAC address of link
in such cases to let a fresh SAE authentication to happen.
But host driver stores PMKSA with MLD address for ML BSS.
Adapt to the same and update PMKSA cache clear APIs to use
MLD address instead of link address.
Introduce new API which return the legacy address for non-ML
association and MLD address for MLO association of the BSS peer.
Use this API to get the correct entry from PMKSA cache to delete.
Introduce new utility API to fetch the MLD address from scan entry.
Use this API to get the MLD address of the ML candidate.
Change-Id: Id35a3937ba6649e8ba7ae8f849ac1ed2a9cc83f8
CRs-Fixed: 3453839
For example, If tmp_new[1] = 3, subie_len=160,
tmp_new + tmp_new[1] + MIN_IE_LEN) - sub_copy will be 159.
In this scenario, while condition gets true (159 <= 160)
In if condition (159 >= 160), we are not breaking the loop in if.
tmp_new will get incremented, tmp_new will point at 159,
tmp_new[1] will point at 160, tmp_new[2] point at 161.
So, we are accessing one byte out-of-bound value.
To fix accessing out-of-bound value subtract one from the subie_len
in while and if condition to avoid this scenario.
Change-Id: I624585323963b6d79acf9ff0f96ec17e0b415c2d
CRs-Fixed: 3358833
