Merge android-msm-floral-4.14-rvc-qpr3 into android-msm-pixel-4.14

SBMerger: 351186807
Change-Id: I1f3d80ca8eda5a2a69c222a2f4e81531d6a4ab1d
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
Signed-off-by: Lucas Wei <lucaswei@google.com>

5 files changed, 53 insertions, 6 deletions

diff --git a/dp/inc/cdp_txrx_ops.h b/dp/inc/cdp_txrx_ops.h
index 05f77ff02..67e075ff5 100644
--- a/dp/inc/cdp_txrx_ops.h
+++ b/dp/inc/cdp_txrx_ops.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017-2018 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2017-2018, 2021 The Linux Foundation. All rights reserved.
  *
  *
  * Permission to use, copy, modify, and/or distribute this software for
@@ -1079,6 +1079,8 @@ struct cdp_peer_ops {
 	void (*update_last_real_peer)(struct cdp_pdev *pdev, void *peer,
 			uint8_t *peer_id, bool restore_last_peer);
 	void (*peer_detach_force_delete)(void *peer);
+	void (*peer_flush_frags)(struct cdp_pdev *pdev,
+				 uint8_t vdev_id, uint8_t *peer_mac);
 };
 
 /**
diff --git a/dp/inc/cdp_txrx_peer_ops.h b/dp/inc/cdp_txrx_peer_ops.h
index fb46834b3..b6e9a3f43 100644
--- a/dp/inc/cdp_txrx_peer_ops.h
+++ b/dp/inc/cdp_txrx_peer_ops.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2018 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2016-2018, 2021 The Linux Foundation. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -646,4 +646,27 @@ static inline void cdp_peer_detach_force_delete(ol_txrx_soc_handle soc,
 
 	return;
 }
+
+/**
+ * cdp_peer_flush_frags() - Flush frags on peer
+ * @soc - data path soc handle
+ * @pdev - data path device instance
+ * @vdev_id - virtual interface id
+ * @peer_mac - peer mac addr
+ *
+ * Return: None
+ */
+static inline void
+cdp_peer_flush_frags(ol_txrx_soc_handle soc, struct cdp_pdev *pdev,
+		     uint8_t vdev_id, uint8_t *peer_mac)
+{
+	if (!soc || !soc->ops || !soc->ops->peer_ops) {
+		QDF_TRACE(QDF_MODULE_ID_DP, QDF_TRACE_LEVEL_FATAL,
+			  "%s invalid instance", __func__);
+		return;
+	}
+
+	if (soc->ops->peer_ops->peer_flush_frags)
+		soc->ops->peer_ops->peer_flush_frags(pdev, vdev_id, peer_mac);
+}
 #endif /* _CDP_TXRX_PEER_H_ */
diff --git a/umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h b/umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h
index 39617ab13..7f62d4906 100644
--- a/umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h
+++ b/umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h
@@ -107,6 +107,17 @@
 #define WLAN_OPMODE_IE_MAX_LEN                   1
 #define WLAN_IBSSDFS_IE_MIN_LEN                  7
 
+/* Wide band channel switch IE length */
+#define WLAN_WIDE_BW_CHAN_SWITCH_IE_LEN          3
+
+/* Number of max TX power elements supported plus size of Transmit Power
+ * Information element.
+ */
+#define WLAN_TPE_IE_MAX_LEN                      9
+
+/* Max channel switch time IE length */
+#define WLAN_MAX_CHAN_SWITCH_TIME_IE_LEN         4
+
 /* HT capability flags */
 #define WLAN_HTCAP_C_ADVCODING             0x0001
 #define WLAN_HTCAP_C_CHWIDTH40             0x0002
diff --git a/umac/scan/core/src/wlan_scan_filter.c b/umac/scan/core/src/wlan_scan_filter.c
index a32d2c200..a458731f1 100644
--- a/umac/scan/core/src/wlan_scan_filter.c
+++ b/umac/scan/core/src/wlan_scan_filter.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017-2019 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2017-2021 The Linux Foundation. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -982,6 +982,7 @@ static bool scm_is_fils_config_match(struct scan_filter *filter,
 	int i;
 	struct fils_indication_ie *indication_ie;
 	uint8_t *data;
+	uint8_t *end_ptr;
 
 	if (!filter->fils_scan_filter.realm_check)
 		return true;
@@ -993,14 +994,18 @@ static bool scm_is_fils_config_match(struct scan_filter *filter,
 	indication_ie =
 		(struct fils_indication_ie *) db_entry->ie_list.fils_indication;
 
+	end_ptr = (uint8_t *)indication_ie + indication_ie->len + 2;
 	data = indication_ie->variable_data;
-	if (indication_ie->is_cache_id_present)
+	if (indication_ie->is_cache_id_present &&
+	    (data + CACHE_IDENTIFIER_LEN) <= end_ptr)
 		data += CACHE_IDENTIFIER_LEN;
 
-	if (indication_ie->is_hessid_present)
+	if (indication_ie->is_hessid_present &&
+	    (data + HESSID_LEN) <= end_ptr)
 		data += HESSID_LEN;
 
-	for (i = 1; i <= indication_ie->realm_identifiers_cnt; i++) {
+	for (i = 1; i <= indication_ie->realm_identifiers_cnt &&
+	     (data + REAM_HASH_LEN) <= end_ptr; i++) {
 		if (!qdf_mem_cmp(filter->fils_scan_filter.fils_realm,
 				 data, REAM_HASH_LEN))
 			return true;
diff --git a/umac/scan/dispatcher/src/wlan_scan_utils_api.c b/umac/scan/dispatcher/src/wlan_scan_utils_api.c
index 19407dce1..d82b620c6 100644
--- a/umac/scan/dispatcher/src/wlan_scan_utils_api.c
+++ b/umac/scan/dispatcher/src/wlan_scan_utils_api.c
@@ -308,12 +308,18 @@ util_scan_parse_chan_switch_wrapper_ie(struct scan_cache_entry *scan_params,
 		}
 		switch (sub_ie->ie_id) {
 		case WLAN_ELEMID_COUNTRY:
+			if (sub_ie->ie_len < WLAN_COUNTRY_IE_MIN_LEN)
+				return QDF_STATUS_E_INVAL;
 			scan_params->ie_list.country = (uint8_t *)sub_ie;
 			break;
 		case WLAN_ELEMID_WIDE_BAND_CHAN_SWITCH:
+			if (sub_ie->ie_len < WLAN_WIDE_BW_CHAN_SWITCH_IE_LEN)
+				return QDF_STATUS_E_INVAL;
 			scan_params->ie_list.widebw = (uint8_t *)sub_ie;
 			break;
 		case WLAN_ELEMID_VHT_TX_PWR_ENVLP:
+			if (sub_ie->ie_len > WLAN_TPE_IE_MAX_LEN)
+				return QDF_STATUS_E_INVAL;
 			scan_params->ie_list.txpwrenvlp = (uint8_t *)sub_ie;
 			break;
 		}