In wma_group_num_bss_to_scan_id(), bssid_list may be accessed out
of boundary.

Add check to avoid potential OOB access for bssid_list.

Change-Id: I218af0fe617f64a50c7c296c622f7fac01e1b4fc
CRs-Fixed: 3357461

Currently in wma_extscan_hotlist_match_event_handler
API, dest_hotlist get memory allocation based on numap
which takes value from event->total_entries.
But numap is limited to WMA_EXTSCAN_MAX_HOTLIST_ENTRIES
and event->total_entries more than WMA_EXTSCAN_MAX_HOTLIST_ENTRIES
can cause out of bound issue.

Fix is to populate dest_hotlist->numOfAps from numap
instead of event->total_entries to avoid any out of bound issue.

Change-Id: I756f7e4a4dcd454508bba83d4a8bbbb139530905
CRs-Fixed: 3346781

In present scenario, STA disconnects with AP if it receives
invalid channel in CSA IE. In this case STA shouldn't
disconnect with AP as this request may come from a spoof AP.

Ignore this CSA request as it might be from spoof AP and
if it is from genuine AP heart beat failure happens and
results in disconnection. After disconnection DUT may
reconnect to same or other APs.

Change-Id: I554bda1c3a0aa96e97d7fdf4dc160be8a2e7f452
CRs-Fixed: 3390251

If the entry of ch power info is not locked, free after use may be
happened. For example, csr_save_to_channel_power2_g_5_g does
csr_purge_channel_power, while csr_save_tx_power_to_cfg is called
in another thread and it calls csr_ll_peek_head then does some
operation on the entry.

Change-Id: If6cc4d8e0072e97288b60d3c72499b79c0a2bf67
CRs-Fixed: 2580147

Some IoT AP may have duplicate rates in supported rates and
extended rates in beacon, need filter them when populate peer 11a/11b
rates during connect/roaming, or array out of bound issue will happen.

Change-Id: I685e8c07ee147296bfa22742dad4210e7fa02c4a
CRs-Fixed: 3048142

Currently, NDP app info length is not being validated with max NDP
app info length. This may result in buffer oveflow wile accessing
NDP app info received from the firmware.
To address this, validate NDP app info length before accessing NDP
app info

Change-Id: Ifddf1afca7ecf2585e8eb450864d9ba127238f6e
CRs-Fixed: 3073345

Currently in unpack_tlv_core(), nBufRemaining is validated
after calling framesntohs API. Since, framesntohs() copies
pIn address to pOut address with length = 2 bytes as below.
DOT11F_MEMCPY(pCtx, (uint16_t *)pOut, pIn, 2);
which could cause OOB issue if pIn contains less than 2 bytes.
Fix is to validate the nBufRemaining size before calling
framesntohs().

Change-Id: I3ead03ec948282a410ddba5b01f82ca31d3d9199
CRs-Fixed: 3042282

Avoid OOB read in dot11f_unpack_assoc_response API. Add check
for when nBuf == len to read another byte of pBufRemaining.

Change-Id: Iccdb0b268d16f4169b8b701ade6085d47897f785
CRs-Fixed: 3042293

In WEP connection, IV values used for consecutive packets
could be random and need not be monotonically increasing
or consecutive in case of fragments. This could result in
incorrect drop of fragments.

Fix is to not do PN check in case of WEP security.

Change-Id: I8bfe16f3bf68752f4279b3fae1cf485a3abc1af7
CRs-Fixed: 2977416

Possible bufer overflow risk in function
wmi_unified_bcn_tmpl_send.

Validate the beacon template length against
WMI_BEACON_TX_BUFFER_SIZE length to avoid overflow.

Change-Id: I98665de677f314f30a57991f48191f847718740c
CRs-Fixed: 2960714

Currently MIC verification is not proper for fragmented packets,
fix MIC verification for helium family.

Change-Id: Iac95c579287bafedf6521b38f2c628fd08cca72d
CRs-Fixed: 2869483

Do not intrabss forward EAPOL frames received in IPA
exception path.

Change-Id: I0be68ec2c186a7b64d4d2f1c3de7dbb20e49d860
CRs-Fixed: 2860225

Drop non-EAPOL/WAPI frames from unauthorized peer received
in the IPA exception path.

Change-Id: I0c0bc6e60efa193126ba1e3eca36c5e02f7f76a3
CRs-Fixed: 2860206

Multicast frames should not be fragmented and plaintext
frags should not be reassembeld in protected network.

Fix is to drop mcast frags and plaintext frags received
in protected network.

Change-Id: I98cf0715f5832f2f86f86b79dbdbc3a7c86dbfd0
CRs-Fixed: 2860245

Fragmented EAPOL frames and EAPOL frames received
in few error scenarios with DA different from SAP
vdev mac addr will be dropped.

Change-Id: I624eba5bdb43c6b88a1f57112550f8026cc35e24
CRs-Fixed: 2888227

Modify check to ensure packet number is consecutive for
fragments and drop the fragments if the check fails.

Change-Id: Ica24f65aff65ca58bb010c876f27964b5b2bae6a
CRs-Fixed: 2860242

Fragments are not flushed as part of rekey which
could result in fragments encrypted under different
keys to be reassembled.

Fix is to flush fragments for the peer for which add
key request is received.

Change-Id: I0c018ff7375272125c62aaea7b8ad4df9e842508
CRs-Fixed: 2875950

Add support for flushing fragments for a particular peer.

Change-Id: I91236d2edc73317380590458b974013a02e858a1
CRs-Fixed: 2860131

Do not intrabss forward fragmented EAPOL frames that have
DA different from the SAP vdev mac addr.

Change-Id: I4145227c9b02fe8cec86ef4ffc3bc2025f906923
CRs-Fixed: 2888467

Currently, lim silently drops the association if it fails to
post ASSOC_IND due to some reason(e.g. invalid contents of
assoc request) and the MLM state is stuck in
eLIM_MLM_WT_ASSOC_CNF_STATE. Station context is not cleaned up
till the next association. Gracefully cleanup the association
in such failure cases.

Change-Id: Iede43a1ddc4ac6ef300af02776b153b58dd70c2c
CRs-Fixed: 2810235

Add sanity check for vdev_id in wma_lost_link_info_handler
against wma_handle->max_bssid.

Change-Id: I1f469b25ac88deb4d5bbaf754c0ea441e6cb04de
CRs-Fixed: 2325718

In function rrm_fill_beacon_ies, do while loop is checked
for BcnNumIes if it is greater than IE length 0. Fix the
check to be greater than 2 as the first two bytes is IE
header(element ID and IE length fields both 1 byte each.)

Change-Id: I11e5de481cd49a22acafee938fbe73f839f5b0e4
CRs-Fixed: 2626729

In function rrm_fill_beacon_ies, the total IE length is
calculated as sum of length field of the IE and 2 (element id 1
byte and IE length field 1 byte). The total IE length is defined
of type uint16_t and will overflow if the *(pBcnIes + 1)=0xfe.

Validate the len against total IE length to avoid overflow.

Change-Id: If8f86952ce43c5923906fc6ef18705f1785c5d88
CRs-Fixed: 2573329

psessionEntry->pSchBeaconFrameBegin is allocated with fix length
SCH_MAX_BEACON_SIZE. Do not copy the value to the buffer exceeding
psessionEntry->pSchBeaconFrameBegin.

Change-Id: I539692c01753b991a963b0416177cf5b474cfdf8
CRs-Fixed: 2577689

The txrx stats req has been freed in the ol_txrx_pdev_detach by checking
req_list of pdev.
Remove the txrx stats req free in the ol_txrx_fw_stats_desc_pool_deinit
to avoid the double free.

Change-Id: Idb2d5517e90ee873e7fd62d58c48a4f793266bac
CRs-Fixed: 2272696

Out of Buffer access may occur in wmi_get_buf_extscan_start_cmd()
function if user provided inputs are different for below parameters
which are assigned in hdd_extscan_start_fill_bucket_channel_spec()
function

1. QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC_NUM_CHANNEL_SPECS
2. QCA_WLAN_VENDOR_ATTR_EXTSCAN_CHANNEL_SPEC

To address this issue return failure status if numChannels is not
equal to the total number of channel entries.

Change-Id: I60d74161dc3752bd7f609af3910d7c86a99488ec
CRs-Fixed: 2255189

Currently pl_tgt_hdr is used without initialization.
Initialize pl_tgt_hdr before dereference.

Change-Id: Ib590a2f6c1f34855942c3e550fa4a573dc0c2701
CRs-Fixed: 2204630

In the API, the driver inserts 0 after the SSID name, to mark the
end of the ssid, but if the SSID name is 32 characters which is
the max SSID length possible, the driver puts 0 at the 33rd
place of memory which is not the part of the SSID name, which
results in OOB write, or off-by-one write condition.

Fix is to remove the addition of 0 after ssid, as in every
case the driver prints the ssid, taking the ssid length
as the input, and in that case insertion of 0 will not serve
any purpose.

Change-Id: I1d58026ec9f48fe9d00bd2f50783c65899588978
CRs-Fixed: 2232526

In function __wlan_hdd_cfg80211_vendor_scan, when SCAN_SSIDS
and QCA_WLAN_VENDOR_ATTR_SCAN_FREQUENCIES are parsed, if the
number of SSIDs or number of channels are more then 255 in
netlink message, n_ssid and n_channels will get overflow
because n_ssid and n_channels are of type uint8_t.

Update the type of n_ssid and n_channels from uint8_t
to uint32_t.

Change-Id: Ib31dcc912fee8639e26d836d2fc5a32bf81fb43d
CRs-Fixed: 2153343

In the function cfg80211_rx_mgmt, data_len is calculated as
len - ieee80211_hdrlen(mgmt->frame_control). Len is not
validated before this calculation. So a possible integer
underflow will occur if len value is less than the value of
ieee80211_hdrlen(mgmt->frame_control).
Validate the value of len against
ieee80211_hdrlen(mgmt->frame_control) in the caller.

Change-Id: Iae776daf37b0c052bd4ce4da44ea728d121eae51
CRs-Fixed: 2263758

The driver allocates memory to del_sta_params in API
wma_roam_update_vdev. In the call of wma_delete_sta API
the driver does mem-free for del_sta_params

But in the main API wma_roam_update_vdev, after the function call
of wma_delete_sta, the driver does mem-free again, which could
mem free of memory block allocated to some other block.
Fix is to remove the mem-free of del_sta_params
in API wma_roam_update_vdev

Change-Id: I79c69f6e6f10650cd57fd85dc4d79e8677976247
CRs-Fixed: 2214574

In function dot11f_unpack functions length of buffer passed is
decremented as pointer advances in the buffer. Add a check for
integer underflow before decrementing the length.

Change-Id: I4ed39d326855c2027ff0bc3cbe5c8981a2ae2aa1
CRs-Fixed: 2231755