77cebf70 | 18-Mar-2024 |
Krupali Dhanvijay <quic_kdhanvij@quicinc.com> |
qcacmn: Add check to avoid NULL pointer deference in parse MBSSID
In malformed beacon frame may deference the NULL pointer while parsing MBSSID IE in util_scan_parse_mbssid will lead to crash.
Add
qcacmn: Add check to avoid NULL pointer deference in parse MBSSID
In malformed beacon frame may deference the NULL pointer while parsing MBSSID IE in util_scan_parse_mbssid will lead to crash.
Add check in util_scan_parse_mbsssid for split_prof_start before passing to util_gen_new_ie and assign zero to split_prof_len whenever split_prof_start freed to avoid unanticipated scenario.
Change-Id: Ibb9739d6b5d1775ab52d59f9aa5050ca693cd926 CRs-Fixed: 3717571
show more ...
|
ba7f3371 | 20-Feb-2024 |
Pragaspathi Thilagaraj <quic_tpragasp@quicinc.com> |
qcacmn: Set LTF keyseed required for existing peer also
LTF keyseed required flag is set only for newly created PASN peer. This value is filled from the security mode value received the PASN peer cr
qcacmn: Set LTF keyseed required for existing peer also
LTF keyseed required flag is set only for newly created PASN peer. This value is filled from the security mode value received the PASN peer create request event from the firmware. If PASN peer already exists, then the peer is just added to the peer list and secure LTF keyseed required flag is not updated. This leads to wrong sequence of commands going to firmware.
Expected sequence: Install TK -> Set LTF keyseed -> PASN Auth STATUS.
Observed Sequence: Install TK -> PASN Auth status -> Set LTF keyseed -> PASN Auth status.
So set the is_ltf_keyseed required flag for already existing PASN peer also
Change-Id: If9994ad01a96bdb26ad55538a67feaed7e22892f CRs-Fixed: 3742573
show more ...
|
99f24676 | 11-Mar-2024 |
Surya Prakash Sivaraj <quic_suryapra@quicinc.com> |
qcacmn: Use only partner links with valid scan entry
If the scan entries for a non-tx profile MBSSID partner links are not present at the time of candidate selection, then host driver generates the
qcacmn: Use only partner links with valid scan entry
If the scan entries for a non-tx profile MBSSID partner links are not present at the time of candidate selection, then host driver generates the scan entry for the missing partner link from the assoc response.
The assoc response from the AP has PMKID in the RSN(some APs do not include RSN IE in assoc resp).In this case, the RSN along with PMKID gets inherited into the scan cache of the missing partner and this leads to mismatch between M3 and scan entry RSN causing disconnection.
To fix this, mark all the MBSSID partners without scan entries as invalid links at the time of candidate shortlisting. Score and connect to only non-tx candidates with valid scan entries.
Remove the probe response generation from assoc response logic.
Change-Id: I342519490ead2a2e91426439cf47e65c61b53aed CRs-Fixed: 3766047
show more ...
|
3ea1cbb9 | 11-Mar-2024 |
Vinod Kumar Pirla <quic_vpirla@quicinc.com> |
qcacmn: Introduce APIs to save peer create and destroy hist
Add new structures, enums and APIs to enhance driver support to store peer create and destroy history in PSOC.
Add new list to MLME's PSO
qcacmn: Introduce APIs to save peer create and destroy hist
Add new structures, enums and APIs to enhance driver support to store peer create and destroy history in PSOC.
Add new list to MLME's PSOC object to hold entries.
Change-Id: I22b8d559e9981a93dc4891d563586dc13245aff9 CRs-Fixed: 3738897
show more ...
|
a43a03d5 | 11-Mar-2024 |
Vinod Kumar Pirla <quic_vpirla@quicinc.com> |
qcacmn: New field to save number of FW roamed links
Add new field to hodl number of links FW roamed to from roam sync indication.
Change-Id: Ie855a4725eb20d2696de7b7e88e67b870fb918c6 CRs-Fixed: 375
qcacmn: New field to save number of FW roamed links
Add new field to hodl number of links FW roamed to from roam sync indication.
Change-Id: Ie855a4725eb20d2696de7b7e88e67b870fb918c6 CRs-Fixed: 3755825
show more ...
|
54e03329 | 22-Mar-2024 |
Jianmin Zhu <quic_jianminz@quicinc.com> |
qcacmn: Generate all possible unique candidates for MLO AP
For mlo candidate, need generate all possible unique candidates, and try to connect one by one by sort of score.
For single MLO AP 5 GHz +
qcacmn: Generate all possible unique candidates for MLO AP
For mlo candidate, need generate all possible unique candidates, and try to connect one by one by sort of score.
For single MLO AP 5 GHz + 6 GHz + 2 GHz generates all possible unique candidates as following: 1. 6 GHz + 2 GHz + 5 GHz 2. 6 GHz + 2 GHz 3. 6 GHz + 5 GHz 4. 6 GHz 5. 5 GHz + 2 GHz 6. 5 GHz 7. 2 GHz
Since standby link doesn't contribute to MLO candidate score, to assure 3 links candidate is tried before 2 links generated, insert generated candidate after original candidate.
Change-Id: I6c92b02e47563fc9b15e37fcec2ab7025a6554a3 CRs-Fixed: 3750735
show more ...
|
20e6be3a | 17-Feb-2024 |
Shashikala Prabhu <quic_pshashik@quicinc.com> |
qcacmn: Fix out-of-bound read in T2LM IE parse API
In wlan_mlo_parse_t2lm_ie(), the code is present to check if the frame length is less than the parsed IE length plus size of ie_header structure (2
qcacmn: Fix out-of-bound read in T2LM IE parse API
In wlan_mlo_parse_t2lm_ie(), the code is present to check if the frame length is less than the parsed IE length plus size of ie_header structure (2 bytes). If the above condition is false then the subsequent code will access the data of parsed IE length plus size of extn_ie_header structure (3 bytes).
To fix the out-of-bound read, check if the frame length is less than parsed IE length plus size of extn_ie_header structure. Also, added the code to return success if frame length is same as parsed IE length.
Change-Id: I07c32379ecd18d253a82876127c33b4d95196dd2 CRs-Fixed: 3704796
show more ...
|
3c0cb904 | 17-Feb-2024 |
Shashikala Prabhu <quic_pshashik@quicinc.com> |
qcacmn: Add frame length check in T2LM action frame parse APIs
Check for frame length before processing the T2LM request and response action frames.
Change-Id: I3ac1c8f6c2ff58a8c3a6d589fe6485dd97bf
qcacmn: Add frame length check in T2LM action frame parse APIs
Check for frame length before processing the T2LM request and response action frames.
Change-Id: I3ac1c8f6c2ff58a8c3a6d589fe6485dd97bfce09 CRs-Fixed: 3704794
show more ...
|
70624478 | 04-Mar-2024 |
Surya Prakash Sivaraj <quic_suryapra@quicinc.com> |
qcacmn: Ignore PCL scoring for non-DBS STA
HW is non-DBS. SAP is UP in 6 GHz. Now, when a STA connection is attempted, the pcl for the second connection would have SAP SCC channel with highest prior
qcacmn: Ignore PCL scoring for non-DBS STA
HW is non-DBS. SAP is UP in 6 GHz. Now, when a STA connection is attempted, the pcl for the second connection would have SAP SCC channel with highest priority, all the 5 GHz channels with 2nd highest priority and the 6 GHz channels with least priority. Therefore, even if there is a strong 6 GHz candidate for STA, the 5 GHz candidate would be chosen and the SAP moves to SCC in 5 GHz.
To fix this, ignore the pcl scoring for the non-DBS concurrency cases as the SAP can move to the channel of the best STA interface.
If the SAP is in legacy band, and if still a 6 GHz STA is chosen, then the legacy SAP would be torn down. So, give STA the best possible in non-DBS case.
Change-Id: I08d1acbe7805dcf7137534347406ffdf539ff0aa CRs-Fixed: 3748694
show more ...
|
6e6bab3a | 26-Feb-2024 |
Aasir Rasheed <quic_arasheed@quicinc.com> |
qcacmn: Use MLMR and MLSR bss type for vendor_roam_score_algo
Currently, Host driver is using only MLMR bss type for vendor_roam_score_algorithm.
Due to recent change in host driver via Change-Id:
qcacmn: Use MLMR and MLSR bss type for vendor_roam_score_algo
Currently, Host driver is using only MLMR bss type for vendor_roam_score_algorithm.
Due to recent change in host driver via Change-Id: I01338dbbc0845e6f6284e4a374f5ad0a5cada334, Host driver is using this api policy_mgr_2_freq_always_on_same_mac for evaluating sbs or dbs frequency which in turn returns MLSR for frequency 5 GHz and 6 GHz opposed to MLMR earlier.
This change is to use both the bss types MLMR and MLSR for the evaluation vendor_roam_score_algorithm.
Change-Id: I72b0d5e5b2daf498a434c05b503ea8aebc65be74 CRs-Fixed: 3742619
show more ...
|
5438cc76 | 12-Mar-2024 |
CNSS_WLAN Service <cnssbldsw@qualcomm.com> |
Merge "qcacmn: Fix potential OOB read in util_scan_parse_mbssid()" into wlan-cmn.driver.lnx.2.0.14 |
2613f5f7 | 12-Mar-2024 |
CNSS_WLAN Service <cnssbldsw@qualcomm.com> |
Merge "qcacmn: Fix potential OOB read in util_scan_is_split_prof_found()" into wlan-cmn.driver.lnx.2.0.14 |
87778b39 | 29-Jan-2024 |
Surya Prakash Sivaraj <quic_suryapra@quicinc.com> |
qcacmn: Fix potential OOB read in util_scan_parse_mbssid()
If the length of the MBSSID IE is 0, then there is a potential OOB read in util_scan_parse_mbssid(), when the Max BSSID indicator field is
qcacmn: Fix potential OOB read in util_scan_parse_mbssid()
If the length of the MBSSID IE is 0, then there is a potential OOB read in util_scan_parse_mbssid(), when the Max BSSID indicator field is accessed.
To fix this, do not proceed with MBSSID parsing if the length of the MBSSID IE is zero.
Change-Id: I2c7a7641b77fed20a910cb77035588a7540caa62 CRs-Fixed: 3717567
show more ...
|
77e5284c | 31-Jan-2024 |
Srikanth Marepalli <quic_srimarep@quicinc.com> |
qcacmn: Fix potential OOB read in util_scan_is_split_prof_found()
If the tag length in next_elem is some invalid high value then the existing length check can still pass and lead to the OOB access.
qcacmn: Fix potential OOB read in util_scan_is_split_prof_found()
If the tag length in next_elem is some invalid high value then the existing length check can still pass and lead to the OOB access.
Add an OOB check w.r.t total IE length to ensure it has the minimum number of bytes in the buffer.
Change-Id: I9778a3e0ced05d3246d91e23c2a47f7318634d75 CRs-Fixed: 3717566
show more ...
|
8536ce5d | 09-Jan-2024 |
Surya Prakash Sivaraj <quic_suryapra@quicinc.com> |
qcacmn: Fix OOB read of ML IE
In util_get_bvmlie_bssparamchangecnt() and util_get_bvmlie_mldcap(), fix the possible OOB read of the ML IE, if the ML IE length is less than the minimum template of Ba
qcacmn: Fix OOB read of ML IE
In util_get_bvmlie_bssparamchangecnt() and util_get_bvmlie_mldcap(), fix the possible OOB read of the ML IE, if the ML IE length is less than the minimum template of Basic variant ML probe response.
Change-Id: I50efaba682a1e42ef8befe09224edc34de9c8c7b CRs-Fixed: 3700045
show more ...
|
24073c30 | 09-Jan-2024 |
Surya Prakash Sivaraj <quic_suryapra@quicinc.com> |
qcacmn: Fix possible OOB read/writes in ML probe generation
Fix the OOB read/writes util_add_mlie_for_prb_rsp_gen() when the common info length is higher than the ML IE inside which the common info
qcacmn: Fix possible OOB read/writes in ML probe generation
Fix the OOB read/writes util_add_mlie_for_prb_rsp_gen() when the common info length is higher than the ML IE inside which the common info is encoded.
Change-Id: I07e9ad748404c6252924996aae57aba0f18e2f7d CRs-Fixed: 3700072
show more ...
|
9c831dd9 | 13-Feb-2024 |
Surya Prakash Sivaraj <quic_suryapra@quicinc.com> |
qcacmn: Support dynamic FILS enablement for dual SAP
For Dual SAP(legacy SAP + 6 GHz SAP), WFA HE-4.1.1 cert case requires the following: a) If Dual SAP is enabled, the 6 GHz SSID should be discove
qcacmn: Support dynamic FILS enablement for dual SAP
For Dual SAP(legacy SAP + 6 GHz SAP), WFA HE-4.1.1 cert case requires the following: a) If Dual SAP is enabled, the 6 GHz SSID should be discovered via the RNR IE of the colocated legacy SAP. b) If a co-located neighbor is present, the 6 GHz SAP should not send FD or unsolicited probe responses.
Add support for the above the cert case by configuring the FD support for the 6 GHz SAP based on the operation of the co-located SAP.
Change-Id: Ib1ea2794baf8786b7c042fc35130b6929abb947f CRs-Fixed: 3732663
show more ...
|
bf97803c | 27-Feb-2024 |
Jianmin Zhu <quic_jianminz@quicinc.com> |
qcacmn: Fix wrong MLO 2 GHz link CCFS1 in response to get_channel
2 GHz link CCFS may not filled correctly in vht/he op, wrong CCFS0 is got from util_scan_sec_chan_freq_from_htinfo and passed to ker
qcacmn: Fix wrong MLO 2 GHz link CCFS1 in response to get_channel
2 GHz link CCFS may not filled correctly in vht/he op, wrong CCFS0 is got from util_scan_sec_chan_freq_from_htinfo and passed to kernel, regulatory check failed, disconnect will happen.
To fix it, add new API util_scan_ccfs0_from_htinfo, and get CCFS0 by it.
Change-Id: I0e8879f13cff37b85cffb6446cc15c60c05465d2 CRs-Fixed: 3739815
show more ...
|
a9c79a17 | 21-Feb-2024 |
Jianmin Zhu <quic_jianminz@quicinc.com> |
qcacmn: Move TPE MACRO to regulatory module
Move TPE MACRO to regulatory module
Change-Id: I61672a09abe6b0d5884d1233fbc4f5d2595ea290 CRs-Fixed: 3737992 |
8cd06744 | 08-Feb-2024 |
Krupali Dhanvijay <quic_kdhanvij@quicinc.com> |
qcacmn: Change minimum mbssid ie length value to 1
Currently, in the driver, the minimum MBSSID IE length value in the driver is set to 4. Some APs advertize this value as 1. In such situations, dri
qcacmn: Change minimum mbssid ie length value to 1
Currently, in the driver, the minimum MBSSID IE length value in the driver is set to 4. Some APs advertize this value as 1. In such situations, driver fails to parse the the ie. So, to avoid such cases, modify the minimum mbssid ie length value to 1.
Change-Id: I6ef89706b95318cb9bd38e04cab56b0fdef99fd5 CRs-Fixed: 3684794
show more ...
|
b2253d34 | 29-Jan-2024 |
Rahul Gusain <quic_rgusain@quicinc.com> |
qcacmn: OOB while accessing ML IE
Currently, in function "util_get_ml_bv_partner_link_info" driver access the ML IE memory with offset which is calculated from ML IE length and increment this offset
qcacmn: OOB while accessing ML IE
Currently, in function "util_get_ml_bv_partner_link_info" driver access the ML IE memory with offset which is calculated from ML IE length and increment this offset with other values (such as perstaprof_stainfo_len). But this can lead to OOB for ML IE when this offset value is increment beyond ML IE length.
So, to fix this, add check for offset before accessing ML IE.
Change-Id: Ie7312ab3379fce16e5b0f83d07d46f263f774ed8 CRs-Fixed: 3710085
show more ...
|
f323c32b | 05-Feb-2024 |
Krupali Dhanvijay <quic_kdhanvij@quicinc.com> |
qcacmn: Fix out-of-bound in wlan_mlo_parse_bcn_prbresp_t2lm_ie
Currently, In the MLO t2lm API, wlan_mlo_parse_bcn_prbresp_t2lm_ie is missing frame boundary checks which may lead to out-of-bound read
qcacmn: Fix out-of-bound in wlan_mlo_parse_bcn_prbresp_t2lm_ie
Currently, In the MLO t2lm API, wlan_mlo_parse_bcn_prbresp_t2lm_ie is missing frame boundary checks which may lead to out-of-bound reads if the lengths are not checked by the caller.
Fix is, while parsing t2lm ie pass the frame length and add check for frame boundary.
CRs-Fixed: 3704739 Change-Id: If3068db3489ee1c9a9da4945407598e27e3ca276
show more ...
|
a1aaa5c7 | 21-Feb-2024 |
Jianmin Zhu <quic_jianminz@quicinc.com> |
qcacmn: Fix assert in cm_validate_partner_links
Uninitialized pointer partner_entry is deferenced wrongly in Change-Id: Ib7e2f4cd43c8190c5e5fd0bb7786df41b022f518
Change-Id: I0cada18a043f4ed2f65697f
qcacmn: Fix assert in cm_validate_partner_links
Uninitialized pointer partner_entry is deferenced wrongly in Change-Id: Ib7e2f4cd43c8190c5e5fd0bb7786df41b022f518
Change-Id: I0cada18a043f4ed2f65697f81530b4169dc46dd2 CRs-Fixed: 3738263
show more ...
|
c753fff3 | 02-Feb-2024 |
Jianmin Zhu <quic_jianminz@quicinc.com> |
qcacmn: Add API to check whether MLO CSA allowed
SCC links in same MLD is not allowed, add API to check whether MLO CSA allowed
CRs-Fixed: 3722991 Change-Id: I1eab54995e2b12715b66c58d6c6e31c14de6c9
qcacmn: Add API to check whether MLO CSA allowed
SCC links in same MLD is not allowed, add API to check whether MLO CSA allowed
CRs-Fixed: 3722991 Change-Id: I1eab54995e2b12715b66c58d6c6e31c14de6c994
show more ...
|
0d945daa | 14-Nov-2023 |
Vinod Kumar Pirla <quic_vpirla@quicinc.com> |
qcacmn: Extend vdev stop and peer delete cmd for link switch
Enhance WMI command of existing peer delete and VDEV stop to add new TLV to carry MLO params with link switch BIT set when link switch is
qcacmn: Extend vdev stop and peer delete cmd for link switch
Enhance WMI command of existing peer delete and VDEV stop to add new TLV to carry MLO params with link switch BIT set when link switch is in progress.
Change-Id: I50b1aa48e4e2c976a56bcd3b75395eef6830e627 CRs-Fixed: 3663340
show more ...
|