Merge tag 'LA.UM.7.2.c25-04700-sdm660.0' of https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0 into lineage-18.1-caf-msm8998

"LA.UM.7.2.c25-04700-sdm660.0"

* tag 'LA.UM.7.2.c25-04700-sdm660.0' of https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0:
  qcacld-3.0: Fix possible memory leak of tx_time_per_power_level
  qcacld-3.0: Validate NDP app info length before accessing NDP app info
  qcacld-3.0: Avoid OOB read in dot11f_unpack_assoc_response
  qcacld-3.0: Avoid OOB read in sch_get_csa_ecsa_count_offset
  qcacld-3.0: Fix possible OOB in unpack_tlv_core
  qcacld-3.0: Possible buffer overflow issue in wma
  qcacld-3.0: wma_send_peer_assoc() sets incorrect peer state
  qcacld-3.0: Do not intrabss fwd frag EAPOL frames in HL
  qcacld-3.0: Do not intrabss forward fragmented EAPOL frames.
  qcacld-3.0: Fix MIC verification in helium family.
  qcacld-3.0: Do not intrabss fwd EAPOL frames in IPA exc path
  qcacld-3.0: Drop EAPOL frame with DA different from SAP vdev mac addr
  qcacld-3.0: Drop non-EAPOL/WAPI frames from unauthorized peer
  qcacld-3.0: Modify check to ensure consecutive PN for frags
  qcacld-3.0: Flush frags for peer on add key request
  qcacld-3.0: Add support to flush fragments for a particular peer
  qcacld-3.0: Drop mcast and plaintext frags in protected network
  qcacld-3.0: Fix integer underflow in assoc response frame
  qcacld-3.0: lim_strip_ie to extract multiple IEs of given type
  qcacld-3.0: Send assoc reject upon failing to post ASSOC_IND
  qcacld-3.0: Fix while condition in rrm_fill_beacon_ies()
  qcacld-3.0: Validate assoc response IE len before copy

 Conflicts:
	drivers/staging/qcacld-3.0/core/dp/txrx/ol_rx_defrag.c
	drivers/staging/qcacld-3.0/core/dp/txrx/ol_rx_fwd.c
	drivers/staging/qcacld-3.0/core/dp/txrx/ol_txrx.c
	drivers/staging/qcacld-3.0/core/dp/txrx/ol_txrx_types.h
	drivers/staging/qcacld-3.0/core/hdd/src/wlan_hdd_cfg80211.c
	drivers/staging/qcacld-3.0/core/hdd/src/wlan_hdd_ipa.c

Change-Id: Ie56b36a1cc9f04a8f986b94a2cb9d4b7add54390

6 files changed, 39 insertions, 63 deletions

diff --git a/drivers/staging/qcacld-3.0/core/hdd/src/wlan_hdd_nan_datapath.h b/drivers/staging/qcacld-3.0/core/hdd/src/wlan_hdd_nan_datapath.h
index 72516e3f80e2..5b1353cf856b 100644
--- a/drivers/staging/qcacld-3.0/core/hdd/src/wlan_hdd_nan_datapath.h
+++ b/drivers/staging/qcacld-3.0/core/hdd/src/wlan_hdd_nan_datapath.h
@@ -1,5 +1,6 @@
 /*
  * Copyright (c) 2016-2018 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2021 Qualcomm Innovation Center, Inc. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -35,7 +36,6 @@ struct wireless_dev;
 #define NAN_SOCIAL_CHANNEL_5GHZ_LOWER_BAND 44
 #define NAN_SOCIAL_CHANNEL_5GHZ_UPPER_BAND 149
 
-#define NDP_APP_INFO_LEN 255
 #define NDP_PMK_LEN 32
 #define NDP_SCID_BUF_LEN 256
 #define NDP_NUM_INSTANCE_ID 255
diff --git a/drivers/staging/qcacld-3.0/core/mac/src/pe/lim/lim_utils.c b/drivers/staging/qcacld-3.0/core/mac/src/pe/lim/lim_utils.c
index 2ca082b1fadf..10768fbf8001 100644
--- a/drivers/staging/qcacld-3.0/core/mac/src/pe/lim/lim_utils.c
+++ b/drivers/staging/qcacld-3.0/core/mac/src/pe/lim/lim_utils.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011-2019 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2011-2019, 2021 The Linux Foundation. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -6552,7 +6552,7 @@ tSirRetStatus lim_strip_ie(tpAniSirGlobal mac_ctx,
 	int left = *addn_ielen;
 	uint8_t *ptr = addn_ie;
 	uint8_t elem_id;
-	uint16_t elem_len;
+	uint16_t elem_len, ie_len, extracted_ie_len = 0;
 
 	if (NULL == addn_ie) {
 		pe_err("NULL addn_ie pointer");
@@ -6565,6 +6565,10 @@ tSirRetStatus lim_strip_ie(tpAniSirGlobal mac_ctx,
 		return eSIR_MEM_ALLOC_FAILED;
 	}
 
+	if (extracted_ie)
+		qdf_mem_set(extracted_ie, eid_max_len + size_of_len_field + 1,
+			    0);
+
 	while (left >= 2) {
 		elem_id  = ptr[0];
 		left -= 1;
@@ -6595,12 +6599,13 @@ tSirRetStatus lim_strip_ie(tpAniSirGlobal mac_ctx,
 			 * take oui IE and store in provided buffer.
 			 */
 			if (NULL != extracted_ie) {
-				qdf_mem_set(extracted_ie,
-					    eid_max_len + size_of_len_field + 1,
-					    0);
-				if (elem_len <= eid_max_len)
-					qdf_mem_copy(extracted_ie, &ptr[0],
-					elem_len + size_of_len_field + 1);
+				ie_len = elem_len + size_of_len_field + 1;
+				if (ie_len <= eid_max_len - extracted_ie_len) {
+					qdf_mem_copy(
+					extracted_ie + extracted_ie_len,
+					&ptr[0], ie_len);
+					extracted_ie_len += ie_len;
+				}
 			}
 		}
 		left -= elem_len;
diff --git a/drivers/staging/qcacld-3.0/core/wma/inc/wma.h b/drivers/staging/qcacld-3.0/core/wma/inc/wma.h
index 5728194c58d6..79f812017119 100644
--- a/drivers/staging/qcacld-3.0/core/wma/inc/wma.h
+++ b/drivers/staging/qcacld-3.0/core/wma/inc/wma.h
@@ -1,5 +1,6 @@
 /*
  * Copyright (c) 2013-2019 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2021 Qualcomm Innovation Center, Inc. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -55,6 +56,7 @@
 #define WMA_RESUME_TIMEOUT                 6000
 #define MAX_MEM_CHUNKS                     32
 #define NAN_CLUSTER_ID_BYTES               4
+#define NDP_APP_INFO_LEN                   255
 
 #define WMA_CRASH_INJECT_TIMEOUT           5000
 
diff --git a/drivers/staging/qcacld-3.0/core/wma/src/wma_mgmt.c b/drivers/staging/qcacld-3.0/core/wma/src/wma_mgmt.c
index ad1017e9bd7b..15635db077c0 100644
--- a/drivers/staging/qcacld-3.0/core/wma/src/wma_mgmt.c
+++ b/drivers/staging/qcacld-3.0/core/wma/src/wma_mgmt.c
@@ -918,45 +918,6 @@ static inline uint8_t wma_parse_mpdudensity(uint8_t mpdudensity)
 		return 0;
 }
 
-#if defined(CONFIG_HL_SUPPORT) && defined(FEATURE_WLAN_TDLS)
-
-/**
- * wma_unified_peer_state_update() - update peer state
- * @pdev: pdev handle
- * @sta_mac: pointer to sta mac addr
- * @bss_addr: bss address
- * @sta_type: sta entry type
- *
- *
- * Return: None
- */
-static void
-wma_unified_peer_state_update(
-	struct ol_txrx_pdev_t *pdev,
-	uint8_t *sta_mac,
-	uint8_t *bss_addr,
-	uint8_t sta_type)
-{
-	if (STA_ENTRY_TDLS_PEER == sta_type)
-		ol_txrx_peer_state_update(pdev, sta_mac,
-					  OL_TXRX_PEER_STATE_AUTH);
-	else
-		ol_txrx_peer_state_update(pdev, bss_addr,
-					  OL_TXRX_PEER_STATE_AUTH);
-}
-#else
-
-static inline void
-wma_unified_peer_state_update(
-	struct ol_txrx_pdev_t *pdev,
-	uint8_t *sta_mac,
-	uint8_t *bss_addr,
-	uint8_t sta_type)
-{
-	ol_txrx_peer_state_update(pdev, bss_addr, OL_TXRX_PEER_STATE_AUTH);
-}
-#endif
-
 #define CFG_CTRL_MASK              0xFF00
 #define CFG_DATA_MASK              0x00FF
 
@@ -1247,9 +1208,6 @@ QDF_STATUS wma_send_peer_assoc(tp_wma_handle wma,
 	if (params->wpa_rsn >> 1)
 		cmd->peer_flags |= WMI_PEER_NEED_GTK_2_WAY;
 
-	wma_unified_peer_state_update(pdev, params->staMac,
-				      params->bssId, params->staType);
-
 #ifdef FEATURE_WLAN_WAPI
 	if (params->encryptType == eSIR_ED_WPI) {
 		ret = wma_vdev_set_param(wma->wmi_handle, params->smesessionId,
diff --git a/drivers/staging/qcacld-3.0/core/wma/src/wma_nan_datapath.c b/drivers/staging/qcacld-3.0/core/wma/src/wma_nan_datapath.c
index dff36acb30ee..6702ef10c3c8 100644
--- a/drivers/staging/qcacld-3.0/core/wma/src/wma_nan_datapath.c
+++ b/drivers/staging/qcacld-3.0/core/wma/src/wma_nan_datapath.c
@@ -1,5 +1,6 @@
 /*
  * Copyright (c) 2016-2018 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2021 Qualcomm Innovation Center, Inc. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -720,6 +721,11 @@ static int wma_ndp_confirm_event_handler(void *handle, uint8_t *event_info,
 			WMA_LOGE(FL("malloc failed"));
 			return QDF_STATUS_E_NOMEM;
 		}
+
+		if (ndp_confirm.ndp_info.ndp_app_info_len > NDP_APP_INFO_LEN)
+			ndp_confirm.ndp_info.ndp_app_info_len =
+							NDP_APP_INFO_LEN;
+
 		qdf_mem_copy(&ndp_confirm.ndp_info.ndp_app_info,
 			     event->ndp_app_info,
 			     ndp_confirm.ndp_info.ndp_app_info_len);
diff --git a/drivers/staging/qcacld-3.0/core/wma/src/wma_utils.c b/drivers/staging/qcacld-3.0/core/wma/src/wma_utils.c
index 0f6ee673580a..e4bac00f1d38 100644
--- a/drivers/staging/qcacld-3.0/core/wma/src/wma_utils.c
+++ b/drivers/staging/qcacld-3.0/core/wma/src/wma_utils.c
@@ -1635,20 +1635,25 @@ static int wma_unified_radio_tx_power_level_stats_event_handler(void *handle,
 		return -EINVAL;
 	}
 
+	if (rs_results->tx_time_per_power_level) {
+		qdf_mem_free(rs_results->tx_time_per_power_level);
+		rs_results->tx_time_per_power_level = NULL;
+	}
+
+	rs_results->tx_time_per_power_level =
+		qdf_mem_malloc(sizeof(uint32_t) *
+			       rs_results->total_num_tx_power_levels);
 	if (!rs_results->tx_time_per_power_level) {
-		rs_results->tx_time_per_power_level = qdf_mem_malloc(
-				sizeof(uint32_t) *
-				rs_results->total_num_tx_power_levels);
-		if (!rs_results->tx_time_per_power_level) {
-			WMA_LOGA("%s: Mem alloc fail for tx power level stats",
-				 __func__);
-			/* In error case, atleast send the radio stats without
-			 * tx_power_level stats */
-			rs_results->total_num_tx_power_levels = 0;
-			link_stats_results->nr_received++;
-			goto post_stats;
-		}
+		WMA_LOGA("%s: Mem alloc fail for tx power level stats",
+			 __func__);
+		/* In error case, atleast send the radio stats without
+		 * tx_power_level stats
+		 */
+		rs_results->total_num_tx_power_levels = 0;
+		link_stats_results->nr_received++;
+		goto post_stats;
 	}
+
 	qdf_mem_copy(&rs_results->tx_time_per_power_level[
 					fixed_param->power_level_offset],
 		tx_power_level_values,