qcacld-3.0: Fix layering violation while handling management frames
Fix layering violation while handling management frames. Currently
LIM data structures are accessed before dropping Assoc, Disassoc and
Deauth packets to avoid DoS attacks. Since the LIM data structures
are accessed in different thread context, data present in them are
out of sync resulting in a crash.
Fix the layering violation by doing appropriate check in WMA instead
of doing the same in LIM
Change-Id: I8876a4d4b99948cd9ab3ccec403cf5e4050b1cff
CRs-Fixed: 977773
diff --git a/core/mac/src/pe/include/lim_api.h b/core/mac/src/pe/include/lim_api.h
index 0622887..e66de6b 100644
--- a/core/mac/src/pe/include/lim_api.h
+++ b/core/mac/src/pe/include/lim_api.h
@@ -160,10 +160,6 @@
tMgmtFrmDropReason lim_is_pkt_candidate_for_drop(tpAniSirGlobal pMac,
uint8_t *pRxPacketInfo,
uint32_t subType);
-bool lim_is_deauth_diassoc_for_drop(tpAniSirGlobal mac, uint8_t *rx_pkt_info);
-#ifdef WLAN_FEATURE_11W
-bool lim_is_assoc_req_for_drop(tpAniSirGlobal mac, uint8_t *rx_pkt_info);
-#endif
#ifdef WLAN_FEATURE_ROAM_OFFLOAD
QDF_STATUS pe_roam_synch_callback(tpAniSirGlobal mac_ctx,
struct sSirSmeRoamOffloadSynchInd *roam_sync_ind_ptr,
diff --git a/core/mac/src/pe/lim/lim_api.c b/core/mac/src/pe/lim/lim_api.c
index 176a318..5912165 100644
--- a/core/mac/src/pe/lim/lim_api.c
+++ b/core/mac/src/pe/lim/lim_api.c
@@ -1131,134 +1131,6 @@
}
} /*** end lim_is_system_in_scan_state() ***/
-#ifdef WLAN_FEATURE_11W
-/**
- * lim_is_assoc_req_for_drop()- function to decides to drop assoc\reassoc
- * frames.
- * @mac: pointer to global mac structure
- * @rx_pkt_info: rx packet meta information
- *
- * This function is called before enqueuing the frame to PE queue to
- * drop flooded assoc/reassoc frames getting into PE Queue.
- *
- * Return: true for dropping the frame otherwise false
- */
-
-bool lim_is_assoc_req_for_drop(tpAniSirGlobal mac, uint8_t *rx_pkt_info)
-{
- uint8_t session_id;
- uint16_t aid;
- tpPESession session_entry;
- tpSirMacMgmtHdr mac_hdr;
- tpDphHashNode sta_ds;
-
- mac_hdr = WMA_GET_RX_MAC_HEADER(rx_pkt_info);
- session_entry = pe_find_session_by_bssid(mac, mac_hdr->bssId,
- &session_id);
- if (!session_entry) {
- PELOG1(limLog(pMac, LOG1,
- FL("session does not exist for given STA [%pM]"),
- mac_hdr->sa););
- return false;
- }
-
- sta_ds = dph_lookup_hash_entry(mac, mac_hdr->sa, &aid,
- &session_entry->dph.dphHashTable);
- if (!sta_ds) {
- PELOG1(limLog(pMac, LOG1, FL("pStaDs is NULL")););
- return false;
- }
-
- if (!sta_ds->rmfEnabled)
- return false;
-
- if (sta_ds->pmfSaQueryState == DPH_SA_QUERY_IN_PROGRESS)
- return true;
-
- if (sta_ds->last_assoc_received_time &&
- ((qdf_mc_timer_get_system_ticks() -
- sta_ds->last_assoc_received_time) < 1000))
- return true;
-
- sta_ds->last_assoc_received_time = qdf_mc_timer_get_system_ticks();
- return false;
-}
-#endif
-
-/**
- * lim_is_deauth_diassoc_for_drop()- function to decides to drop deauth\diassoc
- * frames.
- * @mac: pointer to global mac structure
- * @rx_pkt_info: rx packet meta information
- *
- * This function is called before enqueuing the frame to PE queue to
- * drop flooded deauth/diassoc frames getting into PE Queue.
- *
- * Return: true for dropping the frame otherwise false
- */
-
-bool lim_is_deauth_diassoc_for_drop(tpAniSirGlobal mac, uint8_t *rx_pkt_info)
-{
- uint8_t session_id;
- uint16_t aid;
- tpPESession session_entry;
- tpSirMacMgmtHdr mac_hdr;
- tpDphHashNode sta_ds;
-
- mac_hdr = WMA_GET_RX_MAC_HEADER(rx_pkt_info);
- session_entry = pe_find_session_by_bssid(mac, mac_hdr->bssId,
- &session_id);
- if (!session_entry) {
- PELOG1(limLog(mac, LOG1,
- FL("session does not exist for given STA [%pM]"),
- mac_hdr->sa););
- return true;
- }
-
- sta_ds = dph_lookup_hash_entry(mac, mac_hdr->sa, &aid,
- &session_entry->dph.dphHashTable);
- if (!sta_ds) {
- PELOG1(limLog(mac, LOG1, FL("pStaDs is NULL")););
- return true;
- }
-
-#ifdef WLAN_FEATURE_11W
- if (session_entry->limRmfEnabled) {
- if ((WMA_GET_RX_DPU_FEEDBACK(rx_pkt_info) &
- DPU_FEEDBACK_UNPROTECTED_ERROR)) {
- /* It may be possible that deauth/diassoc frames from a
- * spoofy AP is received. So if all further
- * deauth/diassoc frmaes are dropped, then it may
- * result in lossing deauth/diassoc frames from genuine
- * AP. So process all deauth/diassoc frames with
- * a time difference of 1 sec.
- */
- if ((qdf_mc_timer_get_system_ticks() -
- sta_ds->last_unprot_deauth_disassoc) < 1000)
- return true;
-
- sta_ds->last_unprot_deauth_disassoc =
- qdf_mc_timer_get_system_ticks();
- } else {
- /* PMF enabed, Management frames are protected */
- if (sta_ds->proct_deauh_disassoc_cnt)
- return true;
- else
- sta_ds->proct_deauh_disassoc_cnt++;
- }
- } else
-#endif
- /* PMF disabled */
- {
- if (sta_ds->is_disassoc_deauth_in_progress)
- return true;
- else
- sta_ds->is_disassoc_deauth_in_progress++;
- }
-
- return false;
-}
-
/**
*\brief lim_received_hb_handler()
*
@@ -2209,18 +2081,6 @@
}
}
- if ((subType == SIR_MAC_MGMT_DEAUTH ||
- subType == SIR_MAC_MGMT_DISASSOC) &&
- lim_is_deauth_diassoc_for_drop(pMac, pRxPacketInfo))
- return eMGMT_DROP_SPURIOUS_FRAME;
-
-#ifdef WLAN_FEATURE_11W
- if ((subType == SIR_MAC_MGMT_ASSOC_REQ ||
- subType == SIR_MAC_MGMT_REASSOC_REQ) &&
- lim_is_assoc_req_for_drop(pMac, pRxPacketInfo))
- return eMGMT_DROP_SPURIOUS_FRAME;
-#endif
-
framelen = WMA_GET_RX_PAYLOAD_LEN(pRxPacketInfo);
pBody = WMA_GET_RX_MPDU_DATA(pRxPacketInfo);
diff --git a/core/mac/src/pe/lim/lim_process_message_queue.c b/core/mac/src/pe/lim/lim_process_message_queue.c
index 884b205..27d6a41 100644
--- a/core/mac/src/pe/lim/lim_process_message_queue.c
+++ b/core/mac/src/pe/lim/lim_process_message_queue.c
@@ -803,6 +803,17 @@
isFrmFt = WMA_GET_RX_FT_DONE(pRxPacketInfo);
fc = pHdr->fc;
+ if (pMac->sap.SapDfsInfo.is_dfs_cac_timer_running) {
+ psessionEntry = pe_find_session_by_bssid(pMac,
+ pHdr->bssId, &sessionId);
+ if (psessionEntry &&
+ (QDF_SAP_MODE == psessionEntry->pePersona)) {
+ lim_log(pMac, LOG1,
+ FL("CAC timer running - drop the frame"));
+ goto end;
+ }
+ }
+
#ifdef WLAN_DUMP_MGMTFRAMES
lim_log(pMac, LOGE,
FL("ProtVersion %d, Type %d, Subtype %d rateIndex=%d"),
diff --git a/core/mac/src/sys/legacy/src/system/src/sys_entry_func.c b/core/mac/src/sys/legacy/src/system/src/sys_entry_func.c
index 057de05..a337ec6 100644
--- a/core/mac/src/sys/legacy/src/system/src/sys_entry_func.c
+++ b/core/mac/src/sys/legacy/src/system/src/sys_entry_func.c
@@ -109,9 +109,6 @@
cds_pkt_t *vos_pkt = (cds_pkt_t *) msg->bodyptr;
QDF_STATUS qdf_status =
wma_ds_peek_rx_packet_info(vos_pkt, &bd_ptr, false);
- uint8_t sessionid;
- tpPESession pe_session;
- tpSirMacMgmtHdr mac_hdr;
mac_ctx->sys.gSysBbtReceived++;
@@ -130,19 +127,7 @@
framecount = mac_ctx->sys.gSysFrameCount[type][subtype];
if (type == SIR_MAC_MGMT_FRAME) {
- if (true == mac_ctx->sap.SapDfsInfo.is_dfs_cac_timer_running) {
- mac_hdr = WMA_GET_RX_MAC_HEADER(bd_ptr);
- pe_session = pe_find_session_by_bssid(mac_ctx,
- mac_hdr->bssId,
- &sessionid);
- if (pe_session &&
- (pe_session->pePersona == QDF_SAP_MODE)) {
- QDF_TRACE(QDF_MODULE_ID_SYS,
- QDF_TRACE_LEVEL_INFO_HIGH,
- FL("CAC timer is running, dropping the mgmt frame"));
- goto fail;
- }
- }
+ tpSirMacMgmtHdr mac_hdr;
/*
* Drop beacon frames in deferred state to avoid VOSS run out of
@@ -169,27 +154,26 @@
goto fail;
}
+ mac_hdr = WMA_GET_RX_MAC_HEADER(bd_ptr);
+ if (subtype == SIR_MAC_MGMT_ASSOC_REQ) {
+ sys_log(mac_ctx, LOG1,
+ FL("ASSOC REQ frame allowed: da: " MAC_ADDRESS_STR ", sa: " MAC_ADDRESS_STR ", bssid: " MAC_ADDRESS_STR ", Assoc Req count so far: %d\n"),
+ MAC_ADDR_ARRAY(mac_hdr->da),
+ MAC_ADDR_ARRAY(mac_hdr->sa),
+ MAC_ADDR_ARRAY(mac_hdr->bssId),
+ mac_ctx->sys.gSysFrameCount[type][subtype]);
+ }
if (subtype == SIR_MAC_MGMT_DEAUTH) {
- tpSirMacMgmtHdr mac_hdr = WMA_GET_RX_MAC_HEADER(bd_ptr);
- sys_log(mac_ctx, LOGE,
- FL("DEAUTH frame allowed: "
- "da: " MAC_ADDRESS_STR ", "
- "sa: " MAC_ADDRESS_STR ", "
- "bssid: " MAC_ADDRESS_STR ", "
- "DEAUTH count so far: %d\n"),
+ sys_log(mac_ctx, LOG1,
+ FL("DEAUTH frame allowed: da: " MAC_ADDRESS_STR ", sa: " MAC_ADDRESS_STR ", bssid: " MAC_ADDRESS_STR ", DEAUTH count so far: %d\n"),
MAC_ADDR_ARRAY(mac_hdr->da),
MAC_ADDR_ARRAY(mac_hdr->sa),
MAC_ADDR_ARRAY(mac_hdr->bssId),
mac_ctx->sys.gSysFrameCount[type][subtype]);
}
if (subtype == SIR_MAC_MGMT_DISASSOC) {
- tpSirMacMgmtHdr mac_hdr = WMA_GET_RX_MAC_HEADER(bd_ptr);
- sys_log(mac_ctx, LOGE,
- FL("DISASSOC frame allowed: "
- "da: " MAC_ADDRESS_STR ", "
- "sa: " MAC_ADDRESS_STR ", "
- "bssid: " MAC_ADDRESS_STR ", "
- "DISASSOC count so far: %d\n"),
+ sys_log(mac_ctx, LOG1,
+ FL("DISASSOC frame allowed: da: " MAC_ADDRESS_STR ", sa: " MAC_ADDRESS_STR ", bssid: " MAC_ADDRESS_STR ", DISASSOC count so far: %d\n"),
MAC_ADDR_ARRAY(mac_hdr->da),
MAC_ADDR_ARRAY(mac_hdr->sa),
MAC_ADDR_ARRAY(mac_hdr->bssId),