In function rrmFillBeaconIes, the total IE length is calculated
as sum of length field of the IE and 2 (element id 1 bytr and IE
length field 1 byte). The total IE length is defined of type
uint16_t and will overflow if the *(pBcnIes + 1) = 0xfe.
Validate the len against total IE length to avoid overfloa.
Change-Id: If8f86952ce43c5923906fc6ef18705f1785c5d88
CRs-Fixed: 2617005
Currently STA advertising the max. measurement duration of RM
capability as half the beacon interval. When STA receives beacon
report request frame, it is not using measurement duration
indicated if it is above the advertised max. measurement duration
However, firmware expects a minimum of one beacon interval to
find the AP.
Modify the max. measurement capability of RRM as one beacon interval.
Also engineered the code to make use of the INI parameters for
adjusting the max measurement duration.
Change-Id: Idc0b4f15f2b7464507aacfaefb99e1ba48ad1eca
CRs-Fixed: 1030590
qcacld-3.0 to qcacld-2.0 propagation
In function rrmProcessBeaconReportReq, add bound check before
writing to channel list which is of fixed size.
Change-Id: I3c80974bba84a96f7b85e4ce62bbb01c23b4babf
CRs-Fixed: 2072780
Currently, driver doesn't consider tx power which was negotiated
at the time of connection for max tx power for RRM Link Measurement
Request.
Fix this by not allowing tx power more than pSessionEntry->maxTxPower.
Change-Id: Idebe6d11e05da0b3b8186e2c84ff8ad4ac124fdc
CRs-Fixed: 2021835
qcacld-3.0 to qcacld-2.0 propagation
In function rrm_process_beacon_report_req, add bound check before
writing to channel list which is of fixed size.
Change-Id: I3c80974bba84a96f7b85e4ce62bbb01c23b4babf
CRs-Fixed: 2060138
Bug: 64438727
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
bings
Selvaraj, Sridhar
Nishank Aggarwal
syphyr
Agrawal Ashish
Srinivas Girigowda
LuK1337