From f33a4f5a7d5b0b54b72f6775a450575fc82a2fd8 Mon Sep 17 00:00:00 2001
From: Kiran Kumar Lokere <quic_klokere@quicinc.com>
Date: Mon, 9 Sep 2024 16:07:29 -0700
Subject: [PATCH 1/6] qcacld-3.0: Fix the possible OOB write in country IE
 unpack

Fix the possible OOB write in unpacking the country IE due to
the IE length check against integer division.

CRs-Fixed: 3910626
Change-Id: I800290ab7285fb46ed43a46ce38967046b4881fa
(cherry picked from commit 0002f9ddc9a6be3e34fe15e55f286b5794b29f08)
---
 core/mac/src/include/dot11f.h                  | 2 +-
 core/mac/src/sys/legacy/src/utils/src/dot11f.c | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/core/mac/src/include/dot11f.h b/core/mac/src/include/dot11f.h
index 7b0afc593596..338a943facae 100644
--- a/core/mac/src/include/dot11f.h
+++ b/core/mac/src/include/dot11f.h
@@ -27,7 +27,7 @@
  *
  *
  * This file was automatically generated by 'framesc'
- * Mon May 30 20:50:39 2022 from the following file(s):
+ * Wed Sep 11 12:49:28 2024 from the following file(s):
  *
  * dot11f.frms
  *
diff --git a/core/mac/src/sys/legacy/src/utils/src/dot11f.c b/core/mac/src/sys/legacy/src/utils/src/dot11f.c
index ec2f7ff8be51..b44f94ea0ba8 100644
--- a/core/mac/src/sys/legacy/src/utils/src/dot11f.c
+++ b/core/mac/src/sys/legacy/src/utils/src/dot11f.c
@@ -25,7 +25,7 @@
  *
  *
  * This file was automatically generated by 'framesc'
- * Mon May 30 20:50:39 2022 from the following file(s):
+ * Wed Sep 11 12:49:28 2024 from the following file(s):
  *
  * dot11f.frms
  *
@@ -134,7 +134,7 @@ typedef struct sIEDefn {
 #define DOT11F_PARAMETER_CHECK2(pSrc, pBuf, nBuf, pnConsumed) \
 	do { \
 		if (!pSrc || IsBadReadPtr(pSrc, 4))\
-			eturn DOT11F_BAD_INPUT_BUFFER; \
+			return DOT11F_BAD_INPUT_BUFFER; \
 		if (!pBuf || IsBadWritePtr(pBuf, nBuf))\
 			return DOT11F_BAD_OUTPUT_BUFFER; \
 		if (!nBuf)\
@@ -4131,7 +4131,7 @@ uint32_t dot11f_unpack_ie_country(tpAniSirGlobal pCtx,
 		return 0U;
 	} else {
 		pDst->num_more_triplets = (uint8_t)(ielen / 3);
-		if (ielen / 3 > 80) {
+		if (ielen > 80 * 3) {
 			pDst->present = 0;
 			return DOT11F_SKIPPED_BAD_IE;
 		}

From 923a4325957c9c1bda483828037331defd919a0e Mon Sep 17 00:00:00 2001
From: Ravindra Konda <quic_konda@quicinc.com>
Date: Thu, 26 Sep 2024 08:29:49 -0700
Subject: [PATCH 2/6] Release 2.0.8.34W

Release 2.0.8.34W

Change-Id: I8b539f6198a7491667862a742c31424e84380b14
CRs-Fixed: 774533
---
 core/mac/inc/qwlan_version.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/mac/inc/qwlan_version.h b/core/mac/inc/qwlan_version.h
index 22bb21b22cf9..52ba845b0e8c 100644
--- a/core/mac/inc/qwlan_version.h
+++ b/core/mac/inc/qwlan_version.h
@@ -32,9 +32,9 @@
 #define QWLAN_VERSION_MAJOR            2
 #define QWLAN_VERSION_MINOR            0
 #define QWLAN_VERSION_PATCH            8
-#define QWLAN_VERSION_EXTRA            "V"
+#define QWLAN_VERSION_EXTRA            "W"
 #define QWLAN_VERSION_BUILD            34
 
-#define QWLAN_VERSIONSTR               "2.0.8.34V"
+#define QWLAN_VERSIONSTR               "2.0.8.34W"
 
 #endif /* QWLAN_VERSION_H */

From 01ae0689b195f626929893b846f53e4bc08d59db Mon Sep 17 00:00:00 2001
From: Surya Prakash Sivaraj <quic_suryapra@quicinc.com>
Date: Fri, 29 Mar 2024 10:33:08 +0530
Subject: [PATCH 3/6] qcacld-3.0: Remove use-after-free of frame in tx mgmt
 send

The tx completion handler for the frame frees the buffer.
Therefore, usage of frame after tx completion causes undesired
effect.

Remove the dereference of tx frame buffer contents in
lim_tx_mgmt_frame() after the tx completion.

Change-Id: I32211e1bce4f96ba920a2212ef65aa39831666ab
CRs-Fixed: 3772014
---
 core/mac/src/pe/lim/lim_send_management_frames.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/core/mac/src/pe/lim/lim_send_management_frames.c b/core/mac/src/pe/lim/lim_send_management_frames.c
index d9d92767aed6..67e12248ea2a 100644
--- a/core/mac/src/pe/lim/lim_send_management_frames.c
+++ b/core/mac/src/pe/lim/lim_send_management_frames.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (c) 2011-2020 The Linux Foundation. All rights reserved.
- * Copyright (c) 2022-2023 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2022-2024 Qualcomm Innovation Center, Inc. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -5744,8 +5744,7 @@ static void lim_tx_mgmt_frame(struct mac_context *mac_ctx, uint8_t vdev_id,
 	MTRACE(qdf_trace(QDF_MODULE_ID_PE, TRACE_CODE_TX_COMPLETE,
 		session->peSessionId, qdf_status));
 	if (!QDF_IS_STATUS_SUCCESS(qdf_status)) {
-		pe_err("*** Could not send Auth frame (subType: %d), retCode=%X ***",
-			fc->subType, qdf_status);
+		pe_err("Could not send Auth frame, retCode=%X", qdf_status);
 		mac_ctx->auth_ack_status = LIM_TX_FAILED;
 		auth_ack_status = SENT_FAIL;
 		lim_diag_event_report(mac_ctx, WLAN_PE_DIAG_AUTH_ACK_EVENT,

From 507504e89d928623d1bc2a5a805eaf7fdbefd313 Mon Sep 17 00:00:00 2001
From: Ravindra Konda <quic_konda@quicinc.com>
Date: Fri, 4 Oct 2024 09:04:56 -0700
Subject: [PATCH 4/6] Release 2.0.8.34X

Release 2.0.8.34X

Change-Id: I236740f6ead734b72780cfa0366f0311a20a9308
CRs-Fixed: 774533
---
 core/mac/inc/qwlan_version.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/mac/inc/qwlan_version.h b/core/mac/inc/qwlan_version.h
index 52ba845b0e8c..cada8a0095ac 100644
--- a/core/mac/inc/qwlan_version.h
+++ b/core/mac/inc/qwlan_version.h
@@ -32,9 +32,9 @@
 #define QWLAN_VERSION_MAJOR            2
 #define QWLAN_VERSION_MINOR            0
 #define QWLAN_VERSION_PATCH            8
-#define QWLAN_VERSION_EXTRA            "W"
+#define QWLAN_VERSION_EXTRA            "X"
 #define QWLAN_VERSION_BUILD            34
 
-#define QWLAN_VERSIONSTR               "2.0.8.34W"
+#define QWLAN_VERSIONSTR               "2.0.8.34X"
 
 #endif /* QWLAN_VERSION_H */

From 685e5c9a53e754d4eb67211ed5ec7b4144bbfcd1 Mon Sep 17 00:00:00 2001
From: Dharmendra Tiwari <quic_dhartiwa@quicinc.com>
Date: Tue, 3 Sep 2024 23:06:17 -0700
Subject: [PATCH 5/6] qcacld-3.0: Correcting the TSInfo structure size
 according to the Spec

According to spec the TSinfo size should be 4 bytes.

To fix this issue,TSInfo size is increased to 4bytes aligning with the
current standard.

CRs-Fixed: 3910625
Change-Id: I7979fa84af0295d21d4afe1b876af494a5b8fed8
---
 core/mac/src/cfg/cfgUtil/dot11f.frms           | 2 +-
 core/mac/src/include/dot11f.h                  | 4 ++--
 core/mac/src/sys/legacy/src/utils/src/dot11f.c | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/core/mac/src/cfg/cfgUtil/dot11f.frms b/core/mac/src/cfg/cfgUtil/dot11f.frms
index a3bbbbbf6297..4cb16f7da0c1 100644
--- a/core/mac/src/cfg/cfgUtil/dot11f.frms
+++ b/core/mac/src/cfg/cfgUtil/dot11f.frms
@@ -370,7 +370,7 @@ FF SMPowerModeSet (1)				//7.3.1.25
      }
 }
 
-FF TSInfo (3)                             // 7.3.2.30
+FF TSInfo (4)                             // 7.3.2.30
 {
     {
         traffic_type:    1;
diff --git a/core/mac/src/include/dot11f.h b/core/mac/src/include/dot11f.h
index 338a943facae..216172f4c2c8 100644
--- a/core/mac/src/include/dot11f.h
+++ b/core/mac/src/include/dot11f.h
@@ -27,7 +27,7 @@
  *
  *
  * This file was automatically generated by 'framesc'
- * Wed Sep 11 12:49:28 2024 from the following file(s):
+ * Tue Sep  3 23:04:38 2024 from the following file(s):
  *
  * dot11f.frms
  *
@@ -442,7 +442,7 @@ typedef struct sDot11fFfTSInfo {
 	uint32_t          unused:15;
 } tDot11fFfTSInfo;
 
-#define DOT11F_FF_TSINFO_LEN (3)
+#define DOT11F_FF_TSINFO_LEN (4)
 
 void dot11f_unpack_ff_ts_info(tpAniSirGlobal, uint8_t *, tDot11fFfTSInfo *);
 
diff --git a/core/mac/src/sys/legacy/src/utils/src/dot11f.c b/core/mac/src/sys/legacy/src/utils/src/dot11f.c
index b44f94ea0ba8..3e2dba18d7c4 100644
--- a/core/mac/src/sys/legacy/src/utils/src/dot11f.c
+++ b/core/mac/src/sys/legacy/src/utils/src/dot11f.c
@@ -25,7 +25,7 @@
  *
  *
  * This file was automatically generated by 'framesc'
- * Wed Sep 11 12:49:28 2024 from the following file(s):
+ * Tue Sep  3 23:04:38 2024 from the following file(s):
  *
  * dot11f.frms
  *
@@ -16710,7 +16710,7 @@ uint32_t dot11f_get_packed_del_ts_size(tpAniSirGlobal pCtx,
 	tDot11fDelTS *pFrm, uint32_t *pnNeeded)
 {
 	uint32_t status = 0;
-	*pnNeeded = 7;
+	*pnNeeded = 8;
 	status = get_packed_size_core(pCtx, (uint8_t *)pFrm, pnNeeded,
 				      IES_DelTS);
 	return status;

From 1a2fc5395ed628e0b804102bf8ef1b08390bddca Mon Sep 17 00:00:00 2001
From: Ravindra Konda <quic_konda@quicinc.com>
Date: Wed, 9 Oct 2024 03:44:50 -0700
Subject: [PATCH 6/6] Release 2.0.8.34Y

Release 2.0.8.34Y

Change-Id: Ifb4c818cfbb266d94f02fb887edd901c4471a707
CRs-Fixed: 774533
---
 core/mac/inc/qwlan_version.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/mac/inc/qwlan_version.h b/core/mac/inc/qwlan_version.h
index cada8a0095ac..a57de3022392 100644
--- a/core/mac/inc/qwlan_version.h
+++ b/core/mac/inc/qwlan_version.h
@@ -32,9 +32,9 @@
 #define QWLAN_VERSION_MAJOR            2
 #define QWLAN_VERSION_MINOR            0
 #define QWLAN_VERSION_PATCH            8
-#define QWLAN_VERSION_EXTRA            "X"
+#define QWLAN_VERSION_EXTRA            "Y"
 #define QWLAN_VERSION_BUILD            34
 
-#define QWLAN_VERSIONSTR               "2.0.8.34X"
+#define QWLAN_VERSIONSTR               "2.0.8.34Y"
 
 #endif /* QWLAN_VERSION_H */