Currently, lim_process_assoc_cleanup does not do null validation
for sta_ds which can lead to null pointer derefrence.

Add null pointer check for sta_ds in lim_process_assoc_cleanup

Change-Id: I74ad0e11213c0bec1473984f312f18b5f1082082
CRs-Fixed: 2423883

Update host driver version to 5.2.0.69A for rb1.3 branch.

Change-Id: I2a35bf05833cdd39cfd20477bd65b271e6eb5b0f

While getting reassociation request frame, user space hostapd will
trigger diassociate with reason code 13. Association can't be
established.

The root cause is host driver forwards more 6 bytes to user space.
The 6 bytes is current AP address in association request frame.
Hostapd can't paras association request frame because the additional
6 bytes.

Skip current AP address before forwarding reassociation request
frame to user space.

Change-Id: I94a7c26289f24a1f0716fe64c4ee58eae1a913c6
CRs-Fixed: 2435392

In wma_stats_event_handler several fields lengths are added
together to check against param_buf->num_data (the overall
length of the buffer).
The problem is that num_pdev_stats, num_vdev_stats and
num_peer_stats represent the number of structures of each
type rather than the total number of bytes.
Therefore update the logic to compare the expected size of
the entire payload to the actual payload.

Change-Id: I94af679480e62a61d4b25a1f370b2f199985f874
CRs-Fixed: 2429010

Memory leak happens if req is allocated in sap_goto_channel_sel without
freeing when error happens in sap_goto_channel_sel.

When error happens in sap_goto_channel_sel, free the allocated buffer
in sap_goto_channel_sel.

Change-Id: Id0d59e5716c46c4b5d5b48fdd064f9a4f6e27bfe
CRs-Fixed: 2448929

The field bssid in cfg80211_update_owe_info is renamed to peer
in kernel. Change it accordingly in WLAN driver.

Change-Id: Idf6e051d875c2a9dbe10c49eab7aa02536e5bdc4
CRs-Fixed: 2433437

As part of Iab0862eda2392bd516c8ba0b913441b8e0d4c493, timestamp of
last received frames was introduced to block excessive mgmt frames
being sent as part of Denial of service.

Move that logic to control path to remove dependency on data-path.

CRs-Fixed: 2280235
Change-Id: Idd7617782e71ee187eef7fcb3523c05b49f82094

Scan queue isn't unregistered, lead to scheduler queue leakage,
after driver module start/stop several times, scheduler queues
are used out, can't register any more.

Change-Id: I98d81591aee25a5e18e560766fb077733eb1b671
CRs-Fixed: 2431696

When failure status is received in vdev start response from FW,
host will call wma_remove_peer to delete peer.
However, this operation is not done in the timeout handler of vdev
start request and it will lead to peer leak when vdev start response
failed to be received from FW.
Add peer deletion in vdev start request timeout handler accordingly.

Change-Id: I419369d09be1bd4b7e19e45b11256190fd2ec267
CRs-Fixed: 2288937

memory of sizeof(!roam_info) is not correct

Change-Id: Ida0c617815439de33b767b9eb8ed16869264854b

For WPA3 SAE test case 4.2.7, SAP should reject the association
request with PMF disabled from SAE STA.

Change-Id: Ie2298313ce5a7a363afdb4478f541cf2da612603
CRs-Fixed: 2387822

Random failure is observed when trying to parse RSN IE from
assoc_ind->assocReqPtr in sap_fill_owe_ie_in_assoc_ind.
It should be parsed from ASSOC_REQ_IE_OFFSET.

Change-Id: I8f532f8850a7d997e0227a9e00d4285297243495
CRs-Fixed: 2408770

It doesn't handle event eWNI_SME_UPPER_LAYER_ASSOC_CNF if state isn't
eCSR_ROAMING_STATE_JOINED, which cause memory leak. So handle this
event and free the memory.

Change-Id: Ibfbf9ac5e2d74a2c81839976b4cc1fb7deae7e60
CRs-Fixed: 2414369

While processing vendor command acs_chan_config,
in hdd_parse_vendor_acs_chan_config() memory allocated for channel_list
is not de-allocated in error scenario. This leads to memory leak.

To address this, while returning error, free channel_list in
hdd_parse_vendor_acs_chan_config().

Change-Id: Icdd264cfaa2e4266c22bc87c234e4a21122618b6
CRs-Fixed: 2410875

While processing cfg80211 callback testmode_cmd(), size of vendor
attribute TM_ATTR_DATA is not validated against the maximum length
but type casted to the internally defined structure pmo_lphb_req.
This can lead to out of bounds access if the size of attr is less than
size of pmo_lphb_req.

To address this, validate size of TM_ATTR_DATA.

Change-Id: I83b18d0935ebc6139644c02a9e51ef25a12b9176
CRs-Fixed: 2411653

While processing vendor command EXTERNAL_ACS,
in hdd_parse_vendor_acs_chan_config() total number of channels is
computed by parsing nested attribute ACS_CHANNEL_LIST.

Initially computed number of channels is stored in int data type and
later copied to u8 data type, this shall truncate if number of channels
is greater than 255.

Memory for channel list is allocated using truncated value but later
the same list is accessed using computed value which shall result in
buffer overflow.

To address this, validate computed value against MAX_CHANNELS.

Change-Id: Idbbf3b44fd238f7cff53bedd68f2c7627ecdfa9d
CRs-Fixed: 2410869

When sta+sap scc enabled on dfs channel then SAP cannot operate on
DFS channel in standalone mode. If STA+SAP are operating in SCC mode
on a DFS channel and STA gets disconnected from reference AP then driver
schedules a workqueue to move the SAP from DFS channel to user configured
channel. At this time if STA again connects to reference AP within few ms
then driver again schedules one more workqueue to move the SAP to STA's
channel. Sometimes the second workqueue may fail to switch the channel
if first one is not yet completed. So added event variable to schedule
second workqueue only when first one is complete.

CRs-Fixed: 2163412
Change-Id: Ia6ce4b6264c35f6d2c809e2a3f65f535e930874e

It won't free the nbuffer when tx mgmt frame and don't found session,
then cause memory leak. So free memory to avoid memory leak.

Change-Id: I4e6c2fcdcbf9fa549887602eeaeee3126edc1ef5
CRs-Fixed: 2400974

Merge "qcacld-3.0: Fix null pointer dereference in wma_pdev_div_info_evt_handler" into wlan-cld3.driver.lnx.2.0.1

Fix issues that variables used without initialization.

Change-Id: I40d7054a719bf8a442d153beeb4c9aa38bcad373
CRs-Fixed: 2416837

In IBSS mode, it should copy ssid to member ssId of tSirMacSSid
instead of member length when set bcn/probe filter. Due to the
wrong copy, the peer IBSS bcn is filtered out, so the IBSS group
can not be established.

Change-Id: I9df11de06b0c5ef04a53ee6a25a4ef1547797980
CRs-Fixed: 2386777

In ol_tx_flow_pool_map_handler, we will unpause all netif
queues. Unpausing will fail if any queue bitmap is not
cleared and pause_map remains non zero.

To avoid this, unpause priority queue before unpausing all
non priority queues.

Change-Id: If9a4e5d923b300aa03f01847da1ad64e8d6c61ef
CRs-Fixed: 2391158

While handling ll stats information there is a possibility
of OOB read in hdd_populate_wifi_signal_info api as
FW is giving num_chan info as uint_32 and host has
saved into int_32 type variable which may lead to an
extremely large positive number which is getting used as
index of for loop to populate signal info in skp which may
lead to OOB read.

Change-Id: I032eb465db30ee9e3a7ba0c4f017ed781264c47d
CRs-fixed: 2383605

In lim_send_mlm_assoc_ind, wpa information may be copied to rsnIEdata.
So before calling dot11f_unpack_ie_rsn for rsnIEdata in the function
csr_roam_chk_lnk_assoc_ind, make sure the element id is RSN IE.

dot11f_unpack_ie_rsn returns failure for rsnIEdata if it contains
WPA information, then WPA connection fails.

Change-Id: I602a47326d452f33ba589a9cc99f59ce443d3162
CRs-Fixed: 2406444

Merge "qcacld-3.0: Support firmware state check through cfg80211 vendor cmd" into wlan-cld3.driver.lnx.2.0.1

In wlan_hdd_merge_avoid_freqs() there is a test to determine if the
merged frequency list will exceed the size of the destination buffer,
and if so, the function returns an error. Unfortunately the method to
determine overflow actually modifies the information in the
destination list, and so if the error return occurs the destination
list will contain an incorrect, too large, destination list size.
Address this issue by determining if the list will overflow prior to
modifying the destination list size.

Change-Id: I9ede0bc24c676d6a9ef124d83c36ca9860b847f7
CRs-Fixed: 2410138

Add the support to allow user space applications through cfg80211
vendor command to check if wlan firmware is alive or not.

Change-Id: I96bb16e01974f7689493577741a36e3832963996
CRs-Fixed: 2399508

Merge "qcacld-3.0: Fix possible OOB in wma_pdev_div_info_evt_handler" into wlan-cld3.driver.lnx.2.0.1

Fix propagation issue of 7919f63d

Change-Id: I965ac913c440e0fb2c9674238ea500f5c134264d
CRs-Fixed: 2409425

Fix uinitialized variable in lim_handle_csa_offload_msg() API.

CRs-Fixed: 2232736
Change-Id: Ie9e918780af2407796359cfc293bf227a69385b2

In the function wma_pdev_div_info_evt_handler, while handling
WMI_PDEV_DIV_RSSI_ANTID_EVENTID  event, the corresponding event
handler wma_pdev_div_info_evt_handler is invoked. In  the
function wma_pdev_div_info_evt_handler, event_buf argument comes
directly from firmware and event parameter is pulled from event
buf. The event->num_chains_valid is used as the maximum bound on
the array index of chain_rssi[] array which has a maximum limit
of CHAIN_MAX_NUM(8). When event->num_chains_valid has a value
greater than this maximum limit, OOB write could occur.

Add check to validate the event->num_chains_valid against
CHAIN_MAX_NUM(8) and return failure if it exceeds.

Change-Id: I40f1aa8a7b4bcffef3cab588c78c700e88e24673
CRs-Fixed: 2304662

Zero local vairable memory before use.

Change-Id: I351239f56f81195268e892f8d3de2688d9ef01ec
CRs-Fixed: 2408599