From: "Arend van Spriel" <arend@broadcom.com>
To: "John W. Linville" <linville@tuxdriver.com>
Cc: "Linux Wireless List" <linux-wireless@vger.kernel.org>,
"Hante Meuleman" <meuleman@broadcom.com>,
"Arend van Spriel" <arend@broadcom.com>
Subject: [PATCH 10/11] brcmfmac: fix bug in setting mgmt ie and parsing vndrs ie.
Date: Wed, 28 Nov 2012 21:44:13 +0100 [thread overview]
Message-ID: <1354135454-7035-11-git-send-email-arend@broadcom.com> (raw)
In-Reply-To: <1354135454-7035-1-git-send-email-arend@broadcom.com>
From: Hante Meuleman <meuleman@broadcom.com>
Parsing vndrs ie was not taking len of tlv itself in account. Setting
mgmt ie was missing check for length indicating non configured ie and
wrongly checking available length.
Reviewed-by: Arend Van Spriel <arend@broadcom.com>
Signed-off-by: Hante Meuleman <meuleman@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
---
.../net/wireless/brcm80211/brcmfmac/wl_cfg80211.c | 28 +++++++++++---------
1 file changed, 16 insertions(+), 12 deletions(-)
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
index 5dea1b4..96bc349 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
@@ -3293,11 +3293,12 @@ brcmf_parse_vndr_ies(const u8 *vndr_ie_buf, u32 vndr_ie_len,
if (vndr_ies->count >= MAX_VNDR_IE_NUMBER)
break;
next:
- remaining_len -= ie->len;
- if (remaining_len <= 2)
+ remaining_len -= (ie->len + TLV_HDR_LEN);
+ if (remaining_len <= TLV_HDR_LEN)
ie = NULL;
else
- ie = (struct brcmf_tlv *)(((u8 *)ie) + ie->len);
+ ie = (struct brcmf_tlv *)(((u8 *)ie) + ie->len +
+ TLV_HDR_LEN);
}
return err;
}
@@ -3396,11 +3397,11 @@ s32 brcmf_vif_set_mgmt_ie(struct brcmf_cfg80211_vif *vif, s32 pktflag,
}
}
- if (mgmt_ie_buf != NULL) {
+ if (mgmt_ie_buf && *mgmt_ie_len) {
if (parsed_ie_buf_len && (parsed_ie_buf_len == *mgmt_ie_len) &&
(memcmp(mgmt_ie_buf, curr_ie_buf,
parsed_ie_buf_len) == 0)) {
- WL_TRACE("Previous mgmt IE is equals to current IE");
+ WL_TRACE("Previous mgmt IE equals to current IE\n");
goto exit;
}
@@ -3438,6 +3439,16 @@ s32 brcmf_vif_set_mgmt_ie(struct brcmf_cfg80211_vif *vif, s32 pktflag,
for (i = 0; i < new_vndr_ies.count; i++) {
vndrie_info = &new_vndr_ies.ie_info[i];
+ /* verify remained buf size before copy data */
+ if (remained_buf_len < (vndrie_info->vndrie.len +
+ VNDR_IE_VSIE_OFFSET)) {
+ WL_ERR("no space in mgmt_ie_buf: len left %d",
+ remained_buf_len);
+ break;
+ }
+ remained_buf_len -= (vndrie_info->ie_len +
+ VNDR_IE_VSIE_OFFSET);
+
WL_TRACE("ADDED ID : %d, Len: %d, OUI:%02x:%02x:%02x\n",
vndrie_info->vndrie.id,
vndrie_info->vndrie.len,
@@ -3449,13 +3460,6 @@ s32 brcmf_vif_set_mgmt_ie(struct brcmf_cfg80211_vif *vif, s32 pktflag,
vndrie_info->ie_ptr,
vndrie_info->ie_len,
"add");
- /* verify remained buf size before copy data */
- remained_buf_len -= vndrie_info->ie_len;
- if (remained_buf_len < 0) {
- WL_ERR("no space in mgmt_ie_buf: len left %d",
- remained_buf_len);
- break;
- }
/* save the parsed IE in wl struct */
memcpy(ptr + (*mgmt_ie_len), vndrie_info->ie_ptr,
--
1.7.10.4
next prev parent reply other threads:[~2012-11-28 20:44 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-28 20:44 [PATCH 00/11] brcm80211: bugfixes, cleanup, and bcm4313 iPA support Arend van Spriel
2012-11-28 20:44 ` [PATCH 01/11] brcm80211: update the MAINTAINERS file Arend van Spriel
2012-11-28 20:44 ` [PATCH 02/11] brcmsmac: handle packet drop during transmit correctly Arend van Spriel
2012-11-28 20:44 ` [PATCH 03/11] brcmsmac: cleanup in isr code Arend van Spriel
2012-11-28 20:44 ` [PATCH 04/11] brcmsmac: fix bounds checking in tx/rx Arend van Spriel
2012-11-28 20:44 ` [PATCH 05/11] brcmsmac: hardware info in debugfs Arend van Spriel
2012-11-29 17:08 ` Seth Forshee
2012-11-29 17:59 ` Arend van Spriel
2012-11-28 20:44 ` [PATCH 06/11] brcmsmac: move PHY functions Arend van Spriel
2012-11-28 20:44 ` [PATCH 07/11] brcmsmac: support 4313iPA Arend van Spriel
2012-11-28 20:44 ` [PATCH 08/11] brcmfmac: get rid of struct brcmf_cfg80211_info::link_up attribute Arend van Spriel
2012-11-28 20:44 ` [PATCH 09/11] brcmfmac: remove mode from struct brcmf_cfg80211_conf Arend van Spriel
2012-11-28 20:44 ` Arend van Spriel [this message]
2012-11-28 20:44 ` [PATCH 11/11] brcmfmac: change debug output for received event Arend van Spriel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1354135454-7035-11-git-send-email-arend@broadcom.com \
--to=arend@broadcom.com \
--cc=linux-wireless@vger.kernel.org \
--cc=linville@tuxdriver.com \
--cc=meuleman@broadcom.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).