diff options
| author | Linux Build Service Account <lnxbuild@localhost> | 2021-01-02 02:14:14 -0800 |
|---|---|---|
| committer | Linux Build Service Account <lnxbuild@localhost> | 2021-01-02 02:14:14 -0800 |
| commit | 1a14e65971e758738ae102686221f7c757624559 (patch) | |
| tree | de7c865e8f74034565c2d10e800e6956ffba7a23 | |
| parent | 30007a96269ce58b4905ea0ab7c3d9d392298cf9 (diff) | |
| parent | 75ee73a60e0218bde351222082941a0317657ace (diff) | |
Merge 75ee73a60e0218bde351222082941a0317657ace on remote branch
Change-Id: Ifcdffd745d5a82c753914353a6126de8e3e3eaff
| -rw-r--r-- | qcwcn/wifi_hal/nan_ind.cpp | 5 | ||||
| -rw-r--r-- | qcwcn/wifi_hal/ring_buffer.cpp | 20 | ||||
| -rw-r--r-- | qcwcn/wifi_hal/wifilogger_diag.cpp | 15 | ||||
| -rw-r--r-- | qcwcn/wpa_supplicant_8_lib/driver_cmd_nl80211.c | 12 | ||||
| -rw-r--r-- | qcwcn/wpa_supplicant_8_lib/wpa_driver_common_lib.h | 17 |
5 files changed, 44 insertions, 25 deletions
diff --git a/qcwcn/wifi_hal/nan_ind.cpp b/qcwcn/wifi_hal/nan_ind.cpp index 12d2d97..6496314 100644 --- a/qcwcn/wifi_hal/nan_ind.cpp +++ b/qcwcn/wifi_hal/nan_ind.cpp @@ -346,6 +346,11 @@ int NanCommand::getNanMatch(NanMatchInd *event) /* Populate receive discovery attribute from received TLV */ idx = event->num_rx_discovery_attr; + if (idx < 0 || idx >= NAN_MAX_POSTDISCOVERY_LEN) { + ALOGE("NAN_TLV_TYPE_POST_NAN_DISCOVERY_ATTRIBUTE_RECEIVE" + " Incorrect index:%d >= %d", idx, NAN_MAX_POSTDISCOVERY_LEN); + break; + } ret = getNanReceivePostDiscoveryVal(outputTlv.value, outputTlv.length, &event->discovery_attr[idx]); diff --git a/qcwcn/wifi_hal/ring_buffer.cpp b/qcwcn/wifi_hal/ring_buffer.cpp index cd9865a..a568a73 100644 --- a/qcwcn/wifi_hal/ring_buffer.cpp +++ b/qcwcn/wifi_hal/ring_buffer.cpp @@ -160,7 +160,7 @@ enum rb_status rb_write (void *ctx, u8 *buf, size_t length, int overwrite, // write in current buffer unsigned int total_push_in_rd_ptr = 0; // Total amount of push in read pointer in this write - if (record_length > rbc->each_buf_size) { + if (record_length > rbc->each_buf_size || length > rbc->each_buf_size) { return RB_FAILURE; } @@ -279,6 +279,17 @@ enum rb_status rb_write (void *ctx, u8 *buf, size_t length, int overwrite, } } rb_unlock(&rbc->rb_rw_lock); + if(rbc->bufs[rbc->wr_buf_no].data == NULL || (rbc->bufs[rbc->wr_buf_no].data + rbc->cur_wr_buf_idx) == NULL || + buf == NULL || buf + bytes_written == NULL) { + ALOGE("The read or Write buffer is null"); + return RB_FAILURE; + } + if (((bytes_written + cur_copy_len) > length + || (rbc->cur_wr_buf_idx + cur_copy_len) > rbc->each_buf_size)) { + ALOGE("LOG_RB rb_write overflow - cur_copy_len=%d wr_buf[max=%zu no=%d idx=%d] buf[max=%zu accessed=%d]", + cur_copy_len, rbc->each_buf_size, rbc->wr_buf_no, rbc->cur_wr_buf_idx, length, bytes_written + cur_copy_len); + return RB_FAILURE; + } /* don't use lock while doing memcpy, so that we don't block the read * context for too long. There is no harm while writing the memory if @@ -476,7 +487,12 @@ u8 *rb_get_read_buf(void *ctx, size_t *length) cur_read_len = rbc->cur_wr_buf_idx - rbc->cur_rd_buf_idx; } else { /* write is rolled over and just behind the read */ - cur_read_len = rbc->bufs[rbc->rd_buf_no].last_wr_index - rbc->cur_rd_buf_idx; + if (rbc->bufs[rbc->rd_buf_no].last_wr_index >= rbc->cur_rd_buf_idx) { + cur_read_len = rbc->bufs[rbc->rd_buf_no].last_wr_index - rbc->cur_rd_buf_idx; + } else { + ALOGE("Alert: cur_read_len=%u invalid, rd_buf[no=%d rd_idx=%d wr_index=%d]",cur_read_len, rbc->rd_buf_no, rbc->cur_rd_buf_idx, rbc->bufs[rbc->rd_buf_no].last_wr_index); + return NULL; + } } } else { if (rbc->cur_rd_buf_idx == 0) { diff --git a/qcwcn/wifi_hal/wifilogger_diag.cpp b/qcwcn/wifi_hal/wifilogger_diag.cpp index 827e235..e2bb153 100644 --- a/qcwcn/wifi_hal/wifilogger_diag.cpp +++ b/qcwcn/wifi_hal/wifilogger_diag.cpp @@ -1009,6 +1009,11 @@ static wifi_error process_fw_diag_msg(hal_info *info, u8* buf, u32 length) payloadlen = diag_msg_hdr->u.msg_hdr.payload_len; hdr_size = sizeof(fw_diag_msg_hdr_t); payload = diag_msg_hdr->payload; + if ((count + hdr_size + payloadlen) > length) { + ALOGE("WLAN_DIAG_TYPE_MSG - possible buffer over access, length=%d count=%d hdr_size=%d payload len=%d", + length, count, hdr_size, payloadlen); + return WIFI_ERROR_UNKNOWN; + } process_firmware_prints(info, (u8 *)diag_msg_fixed_hdr, payloadlen + hdr_size); break; @@ -1019,6 +1024,11 @@ static wifi_error process_fw_diag_msg(hal_info *info, u8* buf, u32 length) payloadlen = diag_msg_hdr_v2->u.msg_hdr.payload_len; hdr_size = sizeof(fw_diag_msg_hdr_v2_t); payload = diag_msg_hdr_v2->payload; + if ((count + hdr_size + payloadlen) > length) { + ALOGE("WLAN_DIAG_TYPE_MSG_V2 - possible buffer over access, length=%d count=%d hdr_size=%d payload len=%d", + length, count, hdr_size, payloadlen); + return WIFI_ERROR_UNKNOWN; + } process_firmware_prints(info, (u8 *)diag_msg_fixed_hdr, payloadlen + hdr_size); break; @@ -1030,6 +1040,11 @@ static wifi_error process_fw_diag_msg(hal_info *info, u8* buf, u32 length) payload = diag_msg_hdr->payload; payloadlen = diag_msg_hdr->u.payload_len; hdr_size = sizeof(fw_diag_msg_hdr_t); + if ((count + hdr_size + payloadlen) > length) { + ALOGE("WLAN_DIAG_TYPE_CONFIG - possible buffer over access, length=%d count=%d hdr_size=%d payload len=%d", + length, count, hdr_size, payloadlen); + return WIFI_ERROR_UNKNOWN; + } process_firmware_prints(info, (u8 *)diag_msg_hdr, payloadlen + hdr_size); } diff --git a/qcwcn/wpa_supplicant_8_lib/driver_cmd_nl80211.c b/qcwcn/wpa_supplicant_8_lib/driver_cmd_nl80211.c index 75b0735..a0a1c6e 100644 --- a/qcwcn/wpa_supplicant_8_lib/driver_cmd_nl80211.c +++ b/qcwcn/wpa_supplicant_8_lib/driver_cmd_nl80211.c @@ -640,11 +640,11 @@ static int parse_and_populate_setcellswitchmode(struct nl_msg *nlmsg, QCA_ROAM_TRIGGER_REASON_DENSE | QCA_ROAM_TRIGGER_REASON_BTM | QCA_ROAM_TRIGGER_REASON_BSS_LOAD | - QCA_ROAM_TRIGGER_REASON_USER_TRIGGER_TMP | - QCA_ROAM_TRIGGER_REASON_DEAUTH_TMP | - QCA_ROAM_TRIGGER_REASON_IDLE_TMP | - QCA_ROAM_TRIGGER_REASON_TX_FAILURES_TMP | - QCA_ROAM_TRIGGER_REASON_EXTERNAL_SCAN_TMP; + QCA_ROAM_TRIGGER_REASON_USER_TRIGGER | + QCA_ROAM_TRIGGER_REASON_DEAUTH | + QCA_ROAM_TRIGGER_REASON_IDLE | + QCA_ROAM_TRIGGER_REASON_TX_FAILURES | + QCA_ROAM_TRIGGER_REASON_EXTERNAL_SCAN; scan_scheme_bitmap = QCA_ROAM_TRIGGER_REASON_PER | QCA_ROAM_TRIGGER_REASON_BEACON_MISS | @@ -678,7 +678,7 @@ static int parse_and_populate_setcellswitchmode(struct nl_msg *nlmsg, break; case 2: if (nla_put_u32(nlmsg, QCA_ATTR_ROAM_CONTROL_TRIGGERS, all_trigger_bitmap) || - nla_put_u32(nlmsg, QCA_ATTR_ROAM_CONTROL_SCAN_SCHEME_TRIGGERS_TMP, scan_scheme_bitmap)) { + nla_put_u32(nlmsg, QCA_ATTR_ROAM_CONTROL_SCAN_SCHEME_TRIGGERS, scan_scheme_bitmap)) { wpa_printf(MSG_ERROR,"Failed to set: ROAM_CONTROL_TRIGGERS_SCAN_SCHEME"); goto fail; } diff --git a/qcwcn/wpa_supplicant_8_lib/wpa_driver_common_lib.h b/qcwcn/wpa_supplicant_8_lib/wpa_driver_common_lib.h index c4783c8..ee335ac 100644 --- a/qcwcn/wpa_supplicant_8_lib/wpa_driver_common_lib.h +++ b/qcwcn/wpa_supplicant_8_lib/wpa_driver_common_lib.h @@ -121,23 +121,6 @@ enum qca_wlan_vendor_attr_get_station { QCA_WLAN_VENDOR_ATTR_GET_STATION_AFTER_LAST - 1, }; -/* -these enum changes are temporary, shall be removed when -updated wpa_supplicant_8/src/common/qca-vendor.h is available -*/ - -enum qca_roam_control_scheme_tmp{ - QCA_ATTR_ROAM_CONTROL_SCAN_SCHEME_TRIGGERS_TMP = 13, -}; - -enum qca_roam_trigger_reasons_tmp { - QCA_ROAM_TRIGGER_REASON_USER_TRIGGER_TMP = 1 << 8, - QCA_ROAM_TRIGGER_REASON_DEAUTH_TMP = 1 << 9, - QCA_ROAM_TRIGGER_REASON_IDLE_TMP = 1 << 10, - QCA_ROAM_TRIGGER_REASON_TX_FAILURES_TMP = 1 << 11, - QCA_ROAM_TRIGGER_REASON_EXTERNAL_SCAN_TMP = 1 << 12, -}; - /** * enum qca_wlan_vendor_attr_get_station_info - Station Info queried * through QCA_NL80211_VENDOR_SUBCMD_GET_STATION. |