~hc/RK356X_SDK_RELEASE.git

..	..	@@ -1,10 +1,10 @@
1	1	/*
2		- * Marvell Wireless LAN device driver: station RX data handling
	2	+ * NXP Wireless LAN device driver: station RX data handling
3	3	*
4		- * Copyright (C) 2011-2014, Marvell International Ltd.
	4	+ * Copyright 2011-2020 NXP
5	5	*
6		- * This software file (the "File") is distributed by Marvell International
7		- * Ltd. under the terms of the GNU General Public License Version 2, June 1991
	6	+ * This software file (the "File") is distributed by NXP
	7	+ * under the terms of the GNU General Public License Version 2, June 1991
8	8	* (the "License"). You may use, redistribute and/or modify this File in
9	9	* accordance with the terms and conditions of the License, a copy of which
10	10	* is available by writing to the Free Software Foundation, Inc.,
..	..	@@ -98,12 +98,23 @@
98	98	rx_pkt_len = le16_to_cpu(local_rx_pd->rx_pkt_length);
99	99	rx_pkt_hdr = (void *)local_rx_pd + rx_pkt_off;
100	100
101		- if ((!memcmp(&rx_pkt_hdr->rfc1042_hdr, bridge_tunnel_header,
102		- sizeof(bridge_tunnel_header))) \|\|
103		- (!memcmp(&rx_pkt_hdr->rfc1042_hdr, rfc1042_header,
104		- sizeof(rfc1042_header)) &&
105		- ntohs(rx_pkt_hdr->rfc1042_hdr.snap_type) != ETH_P_AARP &&
106		- ntohs(rx_pkt_hdr->rfc1042_hdr.snap_type) != ETH_P_IPX)) {
	101	+ if (sizeof(rx_pkt_hdr->eth803_hdr) + sizeof(rfc1042_header) +
	102	+ rx_pkt_off > skb->len) {
	103	+ mwifiex_dbg(priv->adapter, ERROR,
	104	+ "wrong rx packet offset: len=%d, rx_pkt_off=%d\n",
	105	+ skb->len, rx_pkt_off);
	106	+ priv->stats.rx_dropped++;
	107	+ dev_kfree_skb_any(skb);
	108	+ return -1;
	109	+ }
	110	+
	111	+ if (sizeof(*rx_pkt_hdr) + rx_pkt_off <= skb->len &&
	112	+ ((!memcmp(&rx_pkt_hdr->rfc1042_hdr, bridge_tunnel_header,
	113	+ sizeof(bridge_tunnel_header))) \|\|
	114	+ (!memcmp(&rx_pkt_hdr->rfc1042_hdr, rfc1042_header,
	115	+ sizeof(rfc1042_header)) &&
	116	+ ntohs(rx_pkt_hdr->rfc1042_hdr.snap_type) != ETH_P_AARP &&
	117	+ ntohs(rx_pkt_hdr->rfc1042_hdr.snap_type) != ETH_P_IPX))) {
107	118	/*
108	119	* Replace the 803 header and rfc1042 header (llc/snap) with an
109	120	* EthernetII header, keep the src/dst and snap_type
..	..	@@ -152,14 +163,17 @@
152	163	mwifiex_process_tdls_action_frame(priv, offset, rx_pkt_len);
153	164	}
154	165
155		- priv->rxpd_rate = local_rx_pd->rx_rate;
156		-
157		- priv->rxpd_htinfo = local_rx_pd->ht_info;
	166	+ /* Only stash RX bitrate for unicast packets. */
	167	+ if (likely(!is_multicast_ether_addr(rx_pkt_hdr->eth803_hdr.h_dest))) {
	168	+ priv->rxpd_rate = local_rx_pd->rx_rate;
	169	+ priv->rxpd_htinfo = local_rx_pd->ht_info;
	170	+ }
158	171
159	172	if (GET_BSS_ROLE(priv) == MWIFIEX_BSS_ROLE_STA \|\|
160	173	GET_BSS_ROLE(priv) == MWIFIEX_BSS_ROLE_UAP) {
161		- adj_rx_rate = mwifiex_adjust_data_rate(priv, priv->rxpd_rate,
162		- priv->rxpd_htinfo);
	174	+ adj_rx_rate = mwifiex_adjust_data_rate(priv,
	175	+ local_rx_pd->rx_rate,
	176	+ local_rx_pd->ht_info);
163	177	mwifiex_hist_data_add(priv, adj_rx_rate, local_rx_pd->snr,
164	178	local_rx_pd->nf);
165	179	}
..	..	@@ -203,7 +217,8 @@
203	217
204	218	rx_pkt_hdr = (void *)local_rx_pd + rx_pkt_offset;
205	219
206		- if ((rx_pkt_offset + rx_pkt_length) > (u16) skb->len) {
	220	+ if ((rx_pkt_offset + rx_pkt_length) > skb->len \|\|
	221	+ sizeof(rx_pkt_hdr->eth803_hdr) + rx_pkt_offset > skb->len) {
207	222	mwifiex_dbg(adapter, ERROR,
208	223	"wrong rx packet: len=%d, rx_pkt_offset=%d, rx_pkt_length=%d\n",
209	224	skb->len, rx_pkt_offset, rx_pkt_length);
..	..	@@ -247,7 +262,8 @@
247	262	local_rx_pd->nf);
248	263	}
249	264	} else {
250		- if (rx_pkt_type != PKT_TYPE_BAR)
	265	+ if (rx_pkt_type != PKT_TYPE_BAR &&
	266	+ local_rx_pd->priority < MAX_NUM_TID)
251	267	priv->rx_seq[local_rx_pd->priority] = seq_num;
252	268	memcpy(ta, priv->curr_bss_params.bss_descriptor.mac_address,
253	269	ETH_ALEN);