[PATCH 0/4] nl80211: Cleanup cfg80211/mac80211 attribute validation

[PATCH 0/4] nl80211: Cleanup cfg80211/mac80211 attribute validation

[Jouni Malinen]

This patch set moves some of the attribute validation from mac80211 into
cfg80211 so that it can be shared with non-mac80211 drivers, too. In
addition, this removes an unused command and adds some extra validation
for MLME attributes.

-- 
Jouni Malinen                                            PGP id EFC895FA

[PATCH 1/4] nl80211: Remove NL80211_CMD_SET_MGMT_EXTRA_IE

[Jouni Malinen]

The functionality that NL80211_CMD_SET_MGMT_EXTRA_IE provided can now
be achieved with cleaner design by adding IE(s) into
NL80211_CMD_TRIGGER_SCAN, NL80211_CMD_AUTHENTICATE,
NL80211_CMD_ASSOCIATE, NL80211_CMD_DEAUTHENTICATE, and
NL80211_CMD_DISASSOCIATE.

Since this is a very recently added command and there are no known (or
known planned) applications using NL80211_CMD_SET_MGMT_EXTRA_IE and
taken into account how much extra complexity it adds to the IE
processing we have now (and need to add in the future to fix IE order
in couple of frames), it looks like the best option is to just remove
the implementation of this command for now. The enum values themselves
are left to avoid changing the nl80211 command or attribute numbers.

Signed-off-by: Jouni Malinen <jouni.malinen@atheros.com>

---
 include/linux/nl80211.h    |    8 +++-
 include/net/cfg80211.h     |   26 -------------
 net/mac80211/cfg.c         |   86 ---------------------------------------------
 net/mac80211/ieee80211_i.h |   15 -------
 net/mac80211/iface.c       |    7 ---
 net/mac80211/mlme.c        |   36 +-----------------
 net/mac80211/util.c        |   29 ++-------------
 net/wireless/nl80211.c     |   47 ------------------------
 8 files changed, 14 insertions(+), 240 deletions(-)

--- uml.orig/include/linux/nl80211.h	2009-03-20 17:24:12.000000000 +0200
+++ uml/include/linux/nl80211.h	2009-03-20 18:03:53.000000000 +0200
@@ -142,6 +142,12 @@
  *	%NL80211_ATTR_IE. If the command succeeds, the requested data will be
  *	added to all specified management frames generated by
  *	kernel/firmware/driver.
+ *	Note: This command has been removed and it is only reserved at this
+ *	point to avoid re-using existing command number. The functionality this
+ *	command was planned for has been provided with cleaner design with the
+ *	option to specify additional IEs in NL80211_CMD_TRIGGER_SCAN,
+ *	NL80211_CMD_AUTHENTICATE, NL80211_CMD_ASSOCIATE,
+ *	NL80211_CMD_DEAUTHENTICATE, and NL80211_CMD_DISASSOCIATE.
  *
  * @NL80211_CMD_GET_SCAN: get scan results
  * @NL80211_CMD_TRIGGER_SCAN: trigger a new scan with the given parameters
@@ -238,7 +244,7 @@ enum nl80211_commands {
 	NL80211_CMD_GET_MESH_PARAMS,
 	NL80211_CMD_SET_MESH_PARAMS,
 
-	NL80211_CMD_SET_MGMT_EXTRA_IE,
+	NL80211_CMD_SET_MGMT_EXTRA_IE /* reserved; not used */,
 
 	NL80211_CMD_GET_REG,
 
--- uml.orig/include/net/cfg80211.h	2009-03-20 17:21:50.000000000 +0200
+++ uml/include/net/cfg80211.h	2009-03-20 18:03:53.000000000 +0200
@@ -471,26 +471,6 @@ struct ieee80211_txq_params {
 	u8 aifs;
 };
 
-/**
- * struct mgmt_extra_ie_params - Extra management frame IE parameters
- *
- * Used to add extra IE(s) into management frames. If the driver cannot add the
- * requested data into all management frames of the specified subtype that are
- * generated in kernel or firmware/hardware, it must reject the configuration
- * call. The IE data buffer is added to the end of the specified management
- * frame body after all other IEs. This addition is not applied to frames that
- * are injected through a monitor interface.
- *
- * @subtype: Management frame subtype
- * @ies: IE data buffer or %NULL to remove previous data
- * @ies_len: Length of @ies in octets
- */
-struct mgmt_extra_ie_params {
-	u8 subtype;
-	u8 *ies;
-	int ies_len;
-};
-
 /* from net/wireless.h */
 struct wiphy;
 
@@ -743,8 +723,6 @@ struct cfg80211_disassoc_request {
  *
  * @set_channel: Set channel
  *
- * @set_mgmt_extra_ie: Set extra IE data for management frames
- *
  * @scan: Request to do a scan. If returning zero, the scan request is given
  *	the driver, and will be valid until passed to cfg80211_scan_done().
  *	For scan results, call cfg80211_inform_bss(); you can call this outside
@@ -828,10 +806,6 @@ struct cfg80211_ops {
 			       struct ieee80211_channel *chan,
 			       enum nl80211_channel_type channel_type);
 
-	int	(*set_mgmt_extra_ie)(struct wiphy *wiphy,
-				     struct net_device *dev,
-				     struct mgmt_extra_ie_params *params);
-
 	int	(*scan)(struct wiphy *wiphy, struct net_device *dev,
 			struct cfg80211_scan_request *request);
 
--- uml.orig/net/mac80211/cfg.c	2009-03-20 17:21:50.000000000 +0200
+++ uml/net/mac80211/cfg.c	2009-03-20 18:03:53.000000000 +0200
@@ -1181,91 +1181,6 @@ static int ieee80211_set_channel(struct 
 	return ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_CHANNEL);
 }
 
-static int set_mgmt_extra_ie_sta(struct ieee80211_sub_if_data *sdata,
-				 u8 subtype, u8 *ies, size_t ies_len)
-{
-	struct ieee80211_local *local = sdata->local;
-	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
-
-	switch (subtype) {
-	case IEEE80211_STYPE_PROBE_REQ >> 4:
-		if (local->ops->hw_scan)
-			break;
-		kfree(ifmgd->ie_probereq);
-		ifmgd->ie_probereq = ies;
-		ifmgd->ie_probereq_len = ies_len;
-		return 0;
-	case IEEE80211_STYPE_PROBE_RESP >> 4:
-		kfree(ifmgd->ie_proberesp);
-		ifmgd->ie_proberesp = ies;
-		ifmgd->ie_proberesp_len = ies_len;
-		return 0;
-	case IEEE80211_STYPE_AUTH >> 4:
-		kfree(ifmgd->ie_auth);
-		ifmgd->ie_auth = ies;
-		ifmgd->ie_auth_len = ies_len;
-		return 0;
-	case IEEE80211_STYPE_ASSOC_REQ >> 4:
-		kfree(ifmgd->ie_assocreq);
-		ifmgd->ie_assocreq = ies;
-		ifmgd->ie_assocreq_len = ies_len;
-		return 0;
-	case IEEE80211_STYPE_REASSOC_REQ >> 4:
-		kfree(ifmgd->ie_reassocreq);
-		ifmgd->ie_reassocreq = ies;
-		ifmgd->ie_reassocreq_len = ies_len;
-		return 0;
-	case IEEE80211_STYPE_DEAUTH >> 4:
-		kfree(ifmgd->ie_deauth);
-		ifmgd->ie_deauth = ies;
-		ifmgd->ie_deauth_len = ies_len;
-		return 0;
-	case IEEE80211_STYPE_DISASSOC >> 4:
-		kfree(ifmgd->ie_disassoc);
-		ifmgd->ie_disassoc = ies;
-		ifmgd->ie_disassoc_len = ies_len;
-		return 0;
-	}
-
-	return -EOPNOTSUPP;
-}
-
-static int ieee80211_set_mgmt_extra_ie(struct wiphy *wiphy,
-				       struct net_device *dev,
-				       struct mgmt_extra_ie_params *params)
-{
-	struct ieee80211_sub_if_data *sdata;
-	u8 *ies;
-	size_t ies_len;
-	int ret = -EOPNOTSUPP;
-
-	if (params->ies) {
-		ies = kmemdup(params->ies, params->ies_len, GFP_KERNEL);
-		if (ies == NULL)
-			return -ENOMEM;
-		ies_len = params->ies_len;
-	} else {
-		ies = NULL;
-		ies_len = 0;
-	}
-
-	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
-
-	switch (sdata->vif.type) {
-	case NL80211_IFTYPE_STATION:
-		ret = set_mgmt_extra_ie_sta(sdata, params->subtype,
-					    ies, ies_len);
-		break;
-	default:
-		ret = -EOPNOTSUPP;
-		break;
-	}
-
-	if (ret)
-		kfree(ies);
-	return ret;
-}
-
 #ifdef CONFIG_PM
 static int ieee80211_suspend(struct wiphy *wiphy)
 {
@@ -1465,7 +1380,6 @@ struct cfg80211_ops mac80211_config_ops 
 	.change_bss = ieee80211_change_bss,
 	.set_txq_params = ieee80211_set_txq_params,
 	.set_channel = ieee80211_set_channel,
-	.set_mgmt_extra_ie = ieee80211_set_mgmt_extra_ie,
 	.suspend = ieee80211_suspend,
 	.resume = ieee80211_resume,
 	.scan = ieee80211_scan,
--- uml.orig/net/mac80211/ieee80211_i.h	2009-03-20 17:24:12.000000000 +0200
+++ uml/net/mac80211/ieee80211_i.h	2009-03-20 18:03:53.000000000 +0200
@@ -323,21 +323,6 @@ struct ieee80211_if_managed {
 	int wmm_last_param_set;
 
 	/* Extra IE data for management frames */
-	u8 *ie_probereq;
-	size_t ie_probereq_len;
-	u8 *ie_proberesp;
-	size_t ie_proberesp_len;
-	u8 *ie_auth;
-	size_t ie_auth_len;
-	u8 *ie_assocreq;
-	size_t ie_assocreq_len;
-	u8 *ie_reassocreq;
-	size_t ie_reassocreq_len;
-	u8 *ie_deauth;
-	size_t ie_deauth_len;
-	u8 *ie_disassoc;
-	size_t ie_disassoc_len;
-
 	u8 *sme_auth_ie;
 	size_t sme_auth_ie_len;
 };
--- uml.orig/net/mac80211/iface.c	2009-03-20 17:24:12.000000000 +0200
+++ uml/net/mac80211/iface.c	2009-03-20 18:03:53.000000000 +0200
@@ -653,13 +653,6 @@ static void ieee80211_teardown_sdata(str
 		kfree(sdata->u.mgd.extra_ie);
 		kfree(sdata->u.mgd.assocreq_ies);
 		kfree(sdata->u.mgd.assocresp_ies);
-		kfree(sdata->u.mgd.ie_probereq);
-		kfree(sdata->u.mgd.ie_proberesp);
-		kfree(sdata->u.mgd.ie_auth);
-		kfree(sdata->u.mgd.ie_assocreq);
-		kfree(sdata->u.mgd.ie_reassocreq);
-		kfree(sdata->u.mgd.ie_deauth);
-		kfree(sdata->u.mgd.ie_disassoc);
 		kfree(sdata->u.mgd.sme_auth_ie);
 		break;
 	case NL80211_IFTYPE_WDS:
--- uml.orig/net/mac80211/mlme.c	2009-03-20 17:24:12.000000000 +0200
+++ uml/net/mac80211/mlme.c	2009-03-20 18:03:53.000000000 +0200
@@ -82,38 +82,23 @@ static int ieee80211_compatible_rates(st
 
 /* frame sending functions */
 
-static void add_extra_ies(struct sk_buff *skb, u8 *ies, size_t ies_len)
-{
-	if (ies)
-		memcpy(skb_put(skb, ies_len), ies, ies_len);
-}
-
 static void ieee80211_send_assoc(struct ieee80211_sub_if_data *sdata)
 {
 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
 	struct ieee80211_local *local = sdata->local;
 	struct sk_buff *skb;
 	struct ieee80211_mgmt *mgmt;
-	u8 *pos, *ies, *ht_ie, *e_ies;
+	u8 *pos, *ies, *ht_ie;
 	int i, len, count, rates_len, supp_rates_len;
 	u16 capab;
 	struct ieee80211_bss *bss;
 	int wmm = 0;
 	struct ieee80211_supported_band *sband;
 	u32 rates = 0;
-	size_t e_ies_len;
-
-	if (ifmgd->flags & IEEE80211_STA_PREV_BSSID_SET) {
-		e_ies = sdata->u.mgd.ie_reassocreq;
-		e_ies_len = sdata->u.mgd.ie_reassocreq_len;
-	} else {
-		e_ies = sdata->u.mgd.ie_assocreq;
-		e_ies_len = sdata->u.mgd.ie_assocreq_len;
-	}
 
 	skb = dev_alloc_skb(local->hw.extra_tx_headroom +
 			    sizeof(*mgmt) + 200 + ifmgd->extra_ie_len +
-			    ifmgd->ssid_len + e_ies_len);
+			    ifmgd->ssid_len);
 	if (!skb) {
 		printk(KERN_DEBUG "%s: failed to allocate buffer for assoc "
 		       "frame\n", sdata->dev->name);
@@ -304,8 +289,6 @@ static void ieee80211_send_assoc(struct 
 		memcpy(pos, &sband->ht_cap.mcs, sizeof(sband->ht_cap.mcs));
 	}
 
-	add_extra_ies(skb, e_ies, e_ies_len);
-
 	kfree(ifmgd->assocreq_ies);
 	ifmgd->assocreq_ies_len = (skb->data + skb->len) - ies;
 	ifmgd->assocreq_ies = kmalloc(ifmgd->assocreq_ies_len, GFP_KERNEL);
@@ -323,19 +306,8 @@ static void ieee80211_send_deauth_disass
 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
 	struct sk_buff *skb;
 	struct ieee80211_mgmt *mgmt;
-	u8 *ies;
-	size_t ies_len;
 
-	if (stype == IEEE80211_STYPE_DEAUTH) {
-		ies = sdata->u.mgd.ie_deauth;
-		ies_len = sdata->u.mgd.ie_deauth_len;
-	} else {
-		ies = sdata->u.mgd.ie_disassoc;
-		ies_len = sdata->u.mgd.ie_disassoc_len;
-	}
-
-	skb = dev_alloc_skb(local->hw.extra_tx_headroom + sizeof(*mgmt) +
-			    ies_len);
+	skb = dev_alloc_skb(local->hw.extra_tx_headroom + sizeof(*mgmt));
 	if (!skb) {
 		printk(KERN_DEBUG "%s: failed to allocate buffer for "
 		       "deauth/disassoc frame\n", sdata->dev->name);
@@ -353,8 +325,6 @@ static void ieee80211_send_deauth_disass
 	/* u.deauth.reason_code == u.disassoc.reason_code */
 	mgmt->u.deauth.reason_code = cpu_to_le16(reason);
 
-	add_extra_ies(skb, ies, ies_len);
-
 	ieee80211_tx_skb(sdata, skb, ifmgd->flags & IEEE80211_STA_MFP_ENABLED);
 }
 
--- uml.orig/net/mac80211/util.c	2009-03-20 17:21:50.000000000 +0200
+++ uml/net/mac80211/util.c	2009-03-20 18:03:53.000000000 +0200
@@ -846,16 +846,9 @@ void ieee80211_send_auth(struct ieee8021
 	struct ieee80211_local *local = sdata->local;
 	struct sk_buff *skb;
 	struct ieee80211_mgmt *mgmt;
-	const u8 *ie_auth = NULL;
-	int ie_auth_len = 0;
-
-	if (sdata->vif.type == NL80211_IFTYPE_STATION) {
-		ie_auth_len = sdata->u.mgd.ie_auth_len;
-		ie_auth = sdata->u.mgd.ie_auth;
-	}
 
 	skb = dev_alloc_skb(local->hw.extra_tx_headroom +
-			    sizeof(*mgmt) + 6 + extra_len + ie_auth_len);
+			    sizeof(*mgmt) + 6 + extra_len);
 	if (!skb) {
 		printk(KERN_DEBUG "%s: failed to allocate buffer for auth "
 		       "frame\n", sdata->dev->name);
@@ -877,8 +870,6 @@ void ieee80211_send_auth(struct ieee8021
 	mgmt->u.auth.status_code = cpu_to_le16(0);
 	if (extra)
 		memcpy(skb_put(skb, extra_len), extra, extra_len);
-	if (ie_auth)
-		memcpy(skb_put(skb, ie_auth_len), ie_auth, ie_auth_len);
 
 	ieee80211_tx_skb(sdata, skb, encrypt);
 }
@@ -891,20 +882,11 @@ void ieee80211_send_probe_req(struct iee
 	struct ieee80211_supported_band *sband;
 	struct sk_buff *skb;
 	struct ieee80211_mgmt *mgmt;
-	u8 *pos, *supp_rates, *esupp_rates = NULL, *extra_preq_ie = NULL;
-	int i, extra_preq_ie_len = 0;
-
-	switch (sdata->vif.type) {
-	case NL80211_IFTYPE_STATION:
-		extra_preq_ie_len = sdata->u.mgd.ie_probereq_len;
-		extra_preq_ie = sdata->u.mgd.ie_probereq;
-		break;
-	default:
-		break;
-	}
+	u8 *pos, *supp_rates, *esupp_rates = NULL;
+	int i;
 
 	skb = dev_alloc_skb(local->hw.extra_tx_headroom + sizeof(*mgmt) + 200 +
-			    ie_len + extra_preq_ie_len);
+			    ie_len);
 	if (!skb) {
 		printk(KERN_DEBUG "%s: failed to allocate buffer for probe "
 		       "request\n", sdata->dev->name);
@@ -953,9 +935,6 @@ void ieee80211_send_probe_req(struct iee
 
 	if (ie)
 		memcpy(skb_put(skb, ie_len), ie, ie_len);
-	if (extra_preq_ie)
-		memcpy(skb_put(skb, extra_preq_ie_len), extra_preq_ie,
-		       extra_preq_ie_len);
 
 	ieee80211_tx_skb(sdata, skb, 0);
 }
--- uml.orig/net/wireless/nl80211.c	2009-03-20 18:03:40.000000000 +0200
+++ uml/net/wireless/nl80211.c	2009-03-20 18:03:53.000000000 +0200
@@ -269,7 +269,6 @@ static int nl80211_send_wiphy(struct sk_
 	CMD(add_mpath, NEW_MPATH);
 	CMD(set_mesh_params, SET_MESH_PARAMS);
 	CMD(change_bss, SET_BSS);
-	CMD(set_mgmt_extra_ie, SET_MGMT_EXTRA_IE);
 	CMD(auth, AUTHENTICATE);
 	CMD(assoc, ASSOCIATE);
 	CMD(deauth, DEAUTHENTICATE);
@@ -2355,46 +2354,6 @@ static int nl80211_set_reg(struct sk_buf
 	return -EINVAL;
 }
 
-static int nl80211_set_mgmt_extra_ie(struct sk_buff *skb,
-				     struct genl_info *info)
-{
-	struct cfg80211_registered_device *drv;
-	int err;
-	struct net_device *dev;
-	struct mgmt_extra_ie_params params;
-
-	memset(&params, 0, sizeof(params));
-
-	if (!info->attrs[NL80211_ATTR_MGMT_SUBTYPE])
-		return -EINVAL;
-	params.subtype = nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
-	if (params.subtype > 15)
-		return -EINVAL; /* FC Subtype field is 4 bits (0..15) */
-
-	if (info->attrs[NL80211_ATTR_IE]) {
-		params.ies = nla_data(info->attrs[NL80211_ATTR_IE]);
-		params.ies_len = nla_len(info->attrs[NL80211_ATTR_IE]);
-	}
-
-	rtnl_lock();
-
-	err = get_drv_dev_by_info_ifindex(info->attrs, &drv, &dev);
-	if (err)
-		goto out_rtnl;
-
-	if (drv->ops->set_mgmt_extra_ie)
-		err = drv->ops->set_mgmt_extra_ie(&drv->wiphy, dev, &params);
-	else
-		err = -EOPNOTSUPP;
-
-	cfg80211_put_dev(drv);
-	dev_put(dev);
- out_rtnl:
-	rtnl_unlock();
-
-	return err;
-}
-
 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
 {
 	struct cfg80211_registered_device *drv;
@@ -3044,12 +3003,6 @@ static struct genl_ops nl80211_ops[] = {
 		.flags = GENL_ADMIN_PERM,
 	},
 	{
-		.cmd = NL80211_CMD_SET_MGMT_EXTRA_IE,
-		.doit = nl80211_set_mgmt_extra_ie,
-		.policy = nl80211_policy,
-		.flags = GENL_ADMIN_PERM,
-	},
-	{
 		.cmd = NL80211_CMD_TRIGGER_SCAN,
 		.doit = nl80211_trigger_scan,
 		.policy = nl80211_policy,

-- 

-- 
Jouni Malinen                                            PGP id EFC895FA

Re: [PATCH 1/4] nl80211: Remove NL80211_CMD_SET_MGMT_EXTRA_IE

[Johannes Berg]

[-- Attachment #1: Type: text/plain, Size: 16363 bytes --]

On Fri, 2009-03-20 at 21:21 +0200, Jouni Malinen wrote:
> plain text document attachment (mac80211-remove-mlme-extra-ie.patch)
> The functionality that NL80211_CMD_SET_MGMT_EXTRA_IE provided can now
> be achieved with cleaner design by adding IE(s) into
> NL80211_CMD_TRIGGER_SCAN, NL80211_CMD_AUTHENTICATE,
> NL80211_CMD_ASSOCIATE, NL80211_CMD_DEAUTHENTICATE, and
> NL80211_CMD_DISASSOCIATE.
> 
> Since this is a very recently added command and there are no known (or
> known planned) applications using NL80211_CMD_SET_MGMT_EXTRA_IE and
> taken into account how much extra complexity it adds to the IE
> processing we have now (and need to add in the future to fix IE order
> in couple of frames), it looks like the best option is to just remove
> the implementation of this command for now. The enum values themselves
> are left to avoid changing the nl80211 command or attribute numbers.
> 
> Signed-off-by: Jouni Malinen <jouni.malinen@atheros.com>

Acked-by: Johannes Berg <johannes@sipsolutions.net>

> ---
>  include/linux/nl80211.h    |    8 +++-
>  include/net/cfg80211.h     |   26 -------------
>  net/mac80211/cfg.c         |   86 ---------------------------------------------
>  net/mac80211/ieee80211_i.h |   15 -------
>  net/mac80211/iface.c       |    7 ---
>  net/mac80211/mlme.c        |   36 +-----------------
>  net/mac80211/util.c        |   29 ++-------------
>  net/wireless/nl80211.c     |   47 ------------------------
>  8 files changed, 14 insertions(+), 240 deletions(-)
> 
> --- uml.orig/include/linux/nl80211.h	2009-03-20 17:24:12.000000000 +0200
> +++ uml/include/linux/nl80211.h	2009-03-20 18:03:53.000000000 +0200
> @@ -142,6 +142,12 @@
>   *	%NL80211_ATTR_IE. If the command succeeds, the requested data will be
>   *	added to all specified management frames generated by
>   *	kernel/firmware/driver.
> + *	Note: This command has been removed and it is only reserved at this
> + *	point to avoid re-using existing command number. The functionality this
> + *	command was planned for has been provided with cleaner design with the
> + *	option to specify additional IEs in NL80211_CMD_TRIGGER_SCAN,
> + *	NL80211_CMD_AUTHENTICATE, NL80211_CMD_ASSOCIATE,
> + *	NL80211_CMD_DEAUTHENTICATE, and NL80211_CMD_DISASSOCIATE.
>   *
>   * @NL80211_CMD_GET_SCAN: get scan results
>   * @NL80211_CMD_TRIGGER_SCAN: trigger a new scan with the given parameters
> @@ -238,7 +244,7 @@ enum nl80211_commands {
>  	NL80211_CMD_GET_MESH_PARAMS,
>  	NL80211_CMD_SET_MESH_PARAMS,
>  
> -	NL80211_CMD_SET_MGMT_EXTRA_IE,
> +	NL80211_CMD_SET_MGMT_EXTRA_IE /* reserved; not used */,
>  
>  	NL80211_CMD_GET_REG,
>  
> --- uml.orig/include/net/cfg80211.h	2009-03-20 17:21:50.000000000 +0200
> +++ uml/include/net/cfg80211.h	2009-03-20 18:03:53.000000000 +0200
> @@ -471,26 +471,6 @@ struct ieee80211_txq_params {
>  	u8 aifs;
>  };
>  
> -/**
> - * struct mgmt_extra_ie_params - Extra management frame IE parameters
> - *
> - * Used to add extra IE(s) into management frames. If the driver cannot add the
> - * requested data into all management frames of the specified subtype that are
> - * generated in kernel or firmware/hardware, it must reject the configuration
> - * call. The IE data buffer is added to the end of the specified management
> - * frame body after all other IEs. This addition is not applied to frames that
> - * are injected through a monitor interface.
> - *
> - * @subtype: Management frame subtype
> - * @ies: IE data buffer or %NULL to remove previous data
> - * @ies_len: Length of @ies in octets
> - */
> -struct mgmt_extra_ie_params {
> -	u8 subtype;
> -	u8 *ies;
> -	int ies_len;
> -};
> -
>  /* from net/wireless.h */
>  struct wiphy;
>  
> @@ -743,8 +723,6 @@ struct cfg80211_disassoc_request {
>   *
>   * @set_channel: Set channel
>   *
> - * @set_mgmt_extra_ie: Set extra IE data for management frames
> - *
>   * @scan: Request to do a scan. If returning zero, the scan request is given
>   *	the driver, and will be valid until passed to cfg80211_scan_done().
>   *	For scan results, call cfg80211_inform_bss(); you can call this outside
> @@ -828,10 +806,6 @@ struct cfg80211_ops {
>  			       struct ieee80211_channel *chan,
>  			       enum nl80211_channel_type channel_type);
>  
> -	int	(*set_mgmt_extra_ie)(struct wiphy *wiphy,
> -				     struct net_device *dev,
> -				     struct mgmt_extra_ie_params *params);
> -
>  	int	(*scan)(struct wiphy *wiphy, struct net_device *dev,
>  			struct cfg80211_scan_request *request);
>  
> --- uml.orig/net/mac80211/cfg.c	2009-03-20 17:21:50.000000000 +0200
> +++ uml/net/mac80211/cfg.c	2009-03-20 18:03:53.000000000 +0200
> @@ -1181,91 +1181,6 @@ static int ieee80211_set_channel(struct 
>  	return ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_CHANNEL);
>  }
>  
> -static int set_mgmt_extra_ie_sta(struct ieee80211_sub_if_data *sdata,
> -				 u8 subtype, u8 *ies, size_t ies_len)
> -{
> -	struct ieee80211_local *local = sdata->local;
> -	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
> -
> -	switch (subtype) {
> -	case IEEE80211_STYPE_PROBE_REQ >> 4:
> -		if (local->ops->hw_scan)
> -			break;
> -		kfree(ifmgd->ie_probereq);
> -		ifmgd->ie_probereq = ies;
> -		ifmgd->ie_probereq_len = ies_len;
> -		return 0;
> -	case IEEE80211_STYPE_PROBE_RESP >> 4:
> -		kfree(ifmgd->ie_proberesp);
> -		ifmgd->ie_proberesp = ies;
> -		ifmgd->ie_proberesp_len = ies_len;
> -		return 0;
> -	case IEEE80211_STYPE_AUTH >> 4:
> -		kfree(ifmgd->ie_auth);
> -		ifmgd->ie_auth = ies;
> -		ifmgd->ie_auth_len = ies_len;
> -		return 0;
> -	case IEEE80211_STYPE_ASSOC_REQ >> 4:
> -		kfree(ifmgd->ie_assocreq);
> -		ifmgd->ie_assocreq = ies;
> -		ifmgd->ie_assocreq_len = ies_len;
> -		return 0;
> -	case IEEE80211_STYPE_REASSOC_REQ >> 4:
> -		kfree(ifmgd->ie_reassocreq);
> -		ifmgd->ie_reassocreq = ies;
> -		ifmgd->ie_reassocreq_len = ies_len;
> -		return 0;
> -	case IEEE80211_STYPE_DEAUTH >> 4:
> -		kfree(ifmgd->ie_deauth);
> -		ifmgd->ie_deauth = ies;
> -		ifmgd->ie_deauth_len = ies_len;
> -		return 0;
> -	case IEEE80211_STYPE_DISASSOC >> 4:
> -		kfree(ifmgd->ie_disassoc);
> -		ifmgd->ie_disassoc = ies;
> -		ifmgd->ie_disassoc_len = ies_len;
> -		return 0;
> -	}
> -
> -	return -EOPNOTSUPP;
> -}
> -
> -static int ieee80211_set_mgmt_extra_ie(struct wiphy *wiphy,
> -				       struct net_device *dev,
> -				       struct mgmt_extra_ie_params *params)
> -{
> -	struct ieee80211_sub_if_data *sdata;
> -	u8 *ies;
> -	size_t ies_len;
> -	int ret = -EOPNOTSUPP;
> -
> -	if (params->ies) {
> -		ies = kmemdup(params->ies, params->ies_len, GFP_KERNEL);
> -		if (ies == NULL)
> -			return -ENOMEM;
> -		ies_len = params->ies_len;
> -	} else {
> -		ies = NULL;
> -		ies_len = 0;
> -	}
> -
> -	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
> -
> -	switch (sdata->vif.type) {
> -	case NL80211_IFTYPE_STATION:
> -		ret = set_mgmt_extra_ie_sta(sdata, params->subtype,
> -					    ies, ies_len);
> -		break;
> -	default:
> -		ret = -EOPNOTSUPP;
> -		break;
> -	}
> -
> -	if (ret)
> -		kfree(ies);
> -	return ret;
> -}
> -
>  #ifdef CONFIG_PM
>  static int ieee80211_suspend(struct wiphy *wiphy)
>  {
> @@ -1465,7 +1380,6 @@ struct cfg80211_ops mac80211_config_ops 
>  	.change_bss = ieee80211_change_bss,
>  	.set_txq_params = ieee80211_set_txq_params,
>  	.set_channel = ieee80211_set_channel,
> -	.set_mgmt_extra_ie = ieee80211_set_mgmt_extra_ie,
>  	.suspend = ieee80211_suspend,
>  	.resume = ieee80211_resume,
>  	.scan = ieee80211_scan,
> --- uml.orig/net/mac80211/ieee80211_i.h	2009-03-20 17:24:12.000000000 +0200
> +++ uml/net/mac80211/ieee80211_i.h	2009-03-20 18:03:53.000000000 +0200
> @@ -323,21 +323,6 @@ struct ieee80211_if_managed {
>  	int wmm_last_param_set;
>  
>  	/* Extra IE data for management frames */
> -	u8 *ie_probereq;
> -	size_t ie_probereq_len;
> -	u8 *ie_proberesp;
> -	size_t ie_proberesp_len;
> -	u8 *ie_auth;
> -	size_t ie_auth_len;
> -	u8 *ie_assocreq;
> -	size_t ie_assocreq_len;
> -	u8 *ie_reassocreq;
> -	size_t ie_reassocreq_len;
> -	u8 *ie_deauth;
> -	size_t ie_deauth_len;
> -	u8 *ie_disassoc;
> -	size_t ie_disassoc_len;
> -
>  	u8 *sme_auth_ie;
>  	size_t sme_auth_ie_len;
>  };
> --- uml.orig/net/mac80211/iface.c	2009-03-20 17:24:12.000000000 +0200
> +++ uml/net/mac80211/iface.c	2009-03-20 18:03:53.000000000 +0200
> @@ -653,13 +653,6 @@ static void ieee80211_teardown_sdata(str
>  		kfree(sdata->u.mgd.extra_ie);
>  		kfree(sdata->u.mgd.assocreq_ies);
>  		kfree(sdata->u.mgd.assocresp_ies);
> -		kfree(sdata->u.mgd.ie_probereq);
> -		kfree(sdata->u.mgd.ie_proberesp);
> -		kfree(sdata->u.mgd.ie_auth);
> -		kfree(sdata->u.mgd.ie_assocreq);
> -		kfree(sdata->u.mgd.ie_reassocreq);
> -		kfree(sdata->u.mgd.ie_deauth);
> -		kfree(sdata->u.mgd.ie_disassoc);
>  		kfree(sdata->u.mgd.sme_auth_ie);
>  		break;
>  	case NL80211_IFTYPE_WDS:
> --- uml.orig/net/mac80211/mlme.c	2009-03-20 17:24:12.000000000 +0200
> +++ uml/net/mac80211/mlme.c	2009-03-20 18:03:53.000000000 +0200
> @@ -82,38 +82,23 @@ static int ieee80211_compatible_rates(st
>  
>  /* frame sending functions */
>  
> -static void add_extra_ies(struct sk_buff *skb, u8 *ies, size_t ies_len)
> -{
> -	if (ies)
> -		memcpy(skb_put(skb, ies_len), ies, ies_len);
> -}
> -
>  static void ieee80211_send_assoc(struct ieee80211_sub_if_data *sdata)
>  {
>  	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
>  	struct ieee80211_local *local = sdata->local;
>  	struct sk_buff *skb;
>  	struct ieee80211_mgmt *mgmt;
> -	u8 *pos, *ies, *ht_ie, *e_ies;
> +	u8 *pos, *ies, *ht_ie;
>  	int i, len, count, rates_len, supp_rates_len;
>  	u16 capab;
>  	struct ieee80211_bss *bss;
>  	int wmm = 0;
>  	struct ieee80211_supported_band *sband;
>  	u32 rates = 0;
> -	size_t e_ies_len;
> -
> -	if (ifmgd->flags & IEEE80211_STA_PREV_BSSID_SET) {
> -		e_ies = sdata->u.mgd.ie_reassocreq;
> -		e_ies_len = sdata->u.mgd.ie_reassocreq_len;
> -	} else {
> -		e_ies = sdata->u.mgd.ie_assocreq;
> -		e_ies_len = sdata->u.mgd.ie_assocreq_len;
> -	}
>  
>  	skb = dev_alloc_skb(local->hw.extra_tx_headroom +
>  			    sizeof(*mgmt) + 200 + ifmgd->extra_ie_len +
> -			    ifmgd->ssid_len + e_ies_len);
> +			    ifmgd->ssid_len);
>  	if (!skb) {
>  		printk(KERN_DEBUG "%s: failed to allocate buffer for assoc "
>  		       "frame\n", sdata->dev->name);
> @@ -304,8 +289,6 @@ static void ieee80211_send_assoc(struct 
>  		memcpy(pos, &sband->ht_cap.mcs, sizeof(sband->ht_cap.mcs));
>  	}
>  
> -	add_extra_ies(skb, e_ies, e_ies_len);
> -
>  	kfree(ifmgd->assocreq_ies);
>  	ifmgd->assocreq_ies_len = (skb->data + skb->len) - ies;
>  	ifmgd->assocreq_ies = kmalloc(ifmgd->assocreq_ies_len, GFP_KERNEL);
> @@ -323,19 +306,8 @@ static void ieee80211_send_deauth_disass
>  	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
>  	struct sk_buff *skb;
>  	struct ieee80211_mgmt *mgmt;
> -	u8 *ies;
> -	size_t ies_len;
>  
> -	if (stype == IEEE80211_STYPE_DEAUTH) {
> -		ies = sdata->u.mgd.ie_deauth;
> -		ies_len = sdata->u.mgd.ie_deauth_len;
> -	} else {
> -		ies = sdata->u.mgd.ie_disassoc;
> -		ies_len = sdata->u.mgd.ie_disassoc_len;
> -	}
> -
> -	skb = dev_alloc_skb(local->hw.extra_tx_headroom + sizeof(*mgmt) +
> -			    ies_len);
> +	skb = dev_alloc_skb(local->hw.extra_tx_headroom + sizeof(*mgmt));
>  	if (!skb) {
>  		printk(KERN_DEBUG "%s: failed to allocate buffer for "
>  		       "deauth/disassoc frame\n", sdata->dev->name);
> @@ -353,8 +325,6 @@ static void ieee80211_send_deauth_disass
>  	/* u.deauth.reason_code == u.disassoc.reason_code */
>  	mgmt->u.deauth.reason_code = cpu_to_le16(reason);
>  
> -	add_extra_ies(skb, ies, ies_len);
> -
>  	ieee80211_tx_skb(sdata, skb, ifmgd->flags & IEEE80211_STA_MFP_ENABLED);
>  }
>  
> --- uml.orig/net/mac80211/util.c	2009-03-20 17:21:50.000000000 +0200
> +++ uml/net/mac80211/util.c	2009-03-20 18:03:53.000000000 +0200
> @@ -846,16 +846,9 @@ void ieee80211_send_auth(struct ieee8021
>  	struct ieee80211_local *local = sdata->local;
>  	struct sk_buff *skb;
>  	struct ieee80211_mgmt *mgmt;
> -	const u8 *ie_auth = NULL;
> -	int ie_auth_len = 0;
> -
> -	if (sdata->vif.type == NL80211_IFTYPE_STATION) {
> -		ie_auth_len = sdata->u.mgd.ie_auth_len;
> -		ie_auth = sdata->u.mgd.ie_auth;
> -	}
>  
>  	skb = dev_alloc_skb(local->hw.extra_tx_headroom +
> -			    sizeof(*mgmt) + 6 + extra_len + ie_auth_len);
> +			    sizeof(*mgmt) + 6 + extra_len);
>  	if (!skb) {
>  		printk(KERN_DEBUG "%s: failed to allocate buffer for auth "
>  		       "frame\n", sdata->dev->name);
> @@ -877,8 +870,6 @@ void ieee80211_send_auth(struct ieee8021
>  	mgmt->u.auth.status_code = cpu_to_le16(0);
>  	if (extra)
>  		memcpy(skb_put(skb, extra_len), extra, extra_len);
> -	if (ie_auth)
> -		memcpy(skb_put(skb, ie_auth_len), ie_auth, ie_auth_len);
>  
>  	ieee80211_tx_skb(sdata, skb, encrypt);
>  }
> @@ -891,20 +882,11 @@ void ieee80211_send_probe_req(struct iee
>  	struct ieee80211_supported_band *sband;
>  	struct sk_buff *skb;
>  	struct ieee80211_mgmt *mgmt;
> -	u8 *pos, *supp_rates, *esupp_rates = NULL, *extra_preq_ie = NULL;
> -	int i, extra_preq_ie_len = 0;
> -
> -	switch (sdata->vif.type) {
> -	case NL80211_IFTYPE_STATION:
> -		extra_preq_ie_len = sdata->u.mgd.ie_probereq_len;
> -		extra_preq_ie = sdata->u.mgd.ie_probereq;
> -		break;
> -	default:
> -		break;
> -	}
> +	u8 *pos, *supp_rates, *esupp_rates = NULL;
> +	int i;
>  
>  	skb = dev_alloc_skb(local->hw.extra_tx_headroom + sizeof(*mgmt) + 200 +
> -			    ie_len + extra_preq_ie_len);
> +			    ie_len);
>  	if (!skb) {
>  		printk(KERN_DEBUG "%s: failed to allocate buffer for probe "
>  		       "request\n", sdata->dev->name);
> @@ -953,9 +935,6 @@ void ieee80211_send_probe_req(struct iee
>  
>  	if (ie)
>  		memcpy(skb_put(skb, ie_len), ie, ie_len);
> -	if (extra_preq_ie)
> -		memcpy(skb_put(skb, extra_preq_ie_len), extra_preq_ie,
> -		       extra_preq_ie_len);
>  
>  	ieee80211_tx_skb(sdata, skb, 0);
>  }
> --- uml.orig/net/wireless/nl80211.c	2009-03-20 18:03:40.000000000 +0200
> +++ uml/net/wireless/nl80211.c	2009-03-20 18:03:53.000000000 +0200
> @@ -269,7 +269,6 @@ static int nl80211_send_wiphy(struct sk_
>  	CMD(add_mpath, NEW_MPATH);
>  	CMD(set_mesh_params, SET_MESH_PARAMS);
>  	CMD(change_bss, SET_BSS);
> -	CMD(set_mgmt_extra_ie, SET_MGMT_EXTRA_IE);
>  	CMD(auth, AUTHENTICATE);
>  	CMD(assoc, ASSOCIATE);
>  	CMD(deauth, DEAUTHENTICATE);
> @@ -2355,46 +2354,6 @@ static int nl80211_set_reg(struct sk_buf
>  	return -EINVAL;
>  }
>  
> -static int nl80211_set_mgmt_extra_ie(struct sk_buff *skb,
> -				     struct genl_info *info)
> -{
> -	struct cfg80211_registered_device *drv;
> -	int err;
> -	struct net_device *dev;
> -	struct mgmt_extra_ie_params params;
> -
> -	memset(&params, 0, sizeof(params));
> -
> -	if (!info->attrs[NL80211_ATTR_MGMT_SUBTYPE])
> -		return -EINVAL;
> -	params.subtype = nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
> -	if (params.subtype > 15)
> -		return -EINVAL; /* FC Subtype field is 4 bits (0..15) */
> -
> -	if (info->attrs[NL80211_ATTR_IE]) {
> -		params.ies = nla_data(info->attrs[NL80211_ATTR_IE]);
> -		params.ies_len = nla_len(info->attrs[NL80211_ATTR_IE]);
> -	}
> -
> -	rtnl_lock();
> -
> -	err = get_drv_dev_by_info_ifindex(info->attrs, &drv, &dev);
> -	if (err)
> -		goto out_rtnl;
> -
> -	if (drv->ops->set_mgmt_extra_ie)
> -		err = drv->ops->set_mgmt_extra_ie(&drv->wiphy, dev, &params);
> -	else
> -		err = -EOPNOTSUPP;
> -
> -	cfg80211_put_dev(drv);
> -	dev_put(dev);
> - out_rtnl:
> -	rtnl_unlock();
> -
> -	return err;
> -}
> -
>  static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
>  {
>  	struct cfg80211_registered_device *drv;
> @@ -3044,12 +3003,6 @@ static struct genl_ops nl80211_ops[] = {
>  		.flags = GENL_ADMIN_PERM,
>  	},
>  	{
> -		.cmd = NL80211_CMD_SET_MGMT_EXTRA_IE,
> -		.doit = nl80211_set_mgmt_extra_ie,
> -		.policy = nl80211_policy,
> -		.flags = GENL_ADMIN_PERM,
> -	},
> -	{
>  		.cmd = NL80211_CMD_TRIGGER_SCAN,
>  		.doit = nl80211_trigger_scan,
>  		.policy = nl80211_policy,
> 
> -- 
> 

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

[PATCH 2/4] nl80211: Add more through validation of MLME command parameters

[Jouni Malinen]

Check that the used authentication type and reason code are valid here
so that drivers/mac80211 do not need to care about this. In addition,
remove the unnecessary validation of SSID attribute length which is
taken care of by netlink policy.

Signed-off-by: Jouni Malinen <jouni.malinen@atheros.com>

---
 net/wireless/nl80211.c |   32 ++++++++++++++++++++++++++------
 1 file changed, 26 insertions(+), 6 deletions(-)

--- uml.orig/net/wireless/nl80211.c	2009-03-20 18:03:53.000000000 +0200
+++ uml/net/wireless/nl80211.c	2009-03-20 18:03:57.000000000 +0200
@@ -2614,6 +2614,14 @@ static int nl80211_dump_scan(struct sk_b
 	return err;
 }
 
+static bool nl80211_valid_auth_type(enum nl80211_auth_type auth_type)
+{
+	return auth_type == NL80211_AUTHTYPE_OPEN_SYSTEM ||
+		auth_type == NL80211_AUTHTYPE_SHARED_KEY ||
+		auth_type == NL80211_AUTHTYPE_FT ||
+		auth_type == NL80211_AUTHTYPE_NETWORK_EAP;
+}
+
 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
 {
 	struct cfg80211_registered_device *drv;
@@ -2666,6 +2674,10 @@ static int nl80211_authenticate(struct s
 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
 		req.auth_type =
 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
+		if (!nl80211_valid_auth_type(req.auth_type)) {
+			err = -EINVAL;
+			goto out;
+		}
 	}
 
 	err = drv->ops->auth(&drv->wiphy, dev, &req);
@@ -2718,10 +2730,6 @@ static int nl80211_associate(struct sk_b
 		}
 	}
 
-	if (nla_len(info->attrs[NL80211_ATTR_SSID]) > IEEE80211_MAX_SSID_LEN) {
-		err = -EINVAL;
-		goto out;
-	}
 	req.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
 	req.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
 
@@ -2769,9 +2777,15 @@ static int nl80211_deauthenticate(struct
 
 	req.peer_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
 
-	if (info->attrs[NL80211_ATTR_REASON_CODE])
+	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
 		req.reason_code =
 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
+		if (req.reason_code == 0) {
+			/* Reason Code 0 is reserved */
+			err = -EINVAL;
+			goto out;
+		}
+	}
 
 	if (info->attrs[NL80211_ATTR_IE]) {
 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
@@ -2817,9 +2831,15 @@ static int nl80211_disassociate(struct s
 
 	req.peer_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
 
-	if (info->attrs[NL80211_ATTR_REASON_CODE])
+	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
 		req.reason_code =
 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
+		if (req.reason_code == 0) {
+			/* Reason Code 0 is reserved */
+			err = -EINVAL;
+			goto out;
+		}
+	}
 
 	if (info->attrs[NL80211_ATTR_IE]) {
 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);

-- 

-- 
Jouni Malinen                                            PGP id EFC895FA

Re: [PATCH 2/4] nl80211: Add more through validation of MLME command parameters

[Johannes Berg]

[-- Attachment #1: Type: text/plain, Size: 3106 bytes --]

On Fri, 2009-03-20 at 21:21 +0200, Jouni Malinen wrote:
> plain text document attachment (nl80211-validate-mlme-params.patch)
> Check that the used authentication type and reason code are valid here
> so that drivers/mac80211 do not need to care about this. In addition,
> remove the unnecessary validation of SSID attribute length which is
> taken care of by netlink policy.
> 
> Signed-off-by: Jouni Malinen <jouni.malinen@atheros.com>

Thanks.

Acked-by: Johannes Berg <johannes@sipsolutions.net>

> ---
>  net/wireless/nl80211.c |   32 ++++++++++++++++++++++++++------
>  1 file changed, 26 insertions(+), 6 deletions(-)
> 
> --- uml.orig/net/wireless/nl80211.c	2009-03-20 18:03:53.000000000 +0200
> +++ uml/net/wireless/nl80211.c	2009-03-20 18:03:57.000000000 +0200
> @@ -2614,6 +2614,14 @@ static int nl80211_dump_scan(struct sk_b
>  	return err;
>  }
>  
> +static bool nl80211_valid_auth_type(enum nl80211_auth_type auth_type)
> +{
> +	return auth_type == NL80211_AUTHTYPE_OPEN_SYSTEM ||
> +		auth_type == NL80211_AUTHTYPE_SHARED_KEY ||
> +		auth_type == NL80211_AUTHTYPE_FT ||
> +		auth_type == NL80211_AUTHTYPE_NETWORK_EAP;
> +}
> +
>  static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
>  {
>  	struct cfg80211_registered_device *drv;
> @@ -2666,6 +2674,10 @@ static int nl80211_authenticate(struct s
>  	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
>  		req.auth_type =
>  			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
> +		if (!nl80211_valid_auth_type(req.auth_type)) {
> +			err = -EINVAL;
> +			goto out;
> +		}
>  	}
>  
>  	err = drv->ops->auth(&drv->wiphy, dev, &req);
> @@ -2718,10 +2730,6 @@ static int nl80211_associate(struct sk_b
>  		}
>  	}
>  
> -	if (nla_len(info->attrs[NL80211_ATTR_SSID]) > IEEE80211_MAX_SSID_LEN) {
> -		err = -EINVAL;
> -		goto out;
> -	}
>  	req.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
>  	req.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
>  
> @@ -2769,9 +2777,15 @@ static int nl80211_deauthenticate(struct
>  
>  	req.peer_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
>  
> -	if (info->attrs[NL80211_ATTR_REASON_CODE])
> +	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
>  		req.reason_code =
>  			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
> +		if (req.reason_code == 0) {
> +			/* Reason Code 0 is reserved */
> +			err = -EINVAL;
> +			goto out;
> +		}
> +	}
>  
>  	if (info->attrs[NL80211_ATTR_IE]) {
>  		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
> @@ -2817,9 +2831,15 @@ static int nl80211_disassociate(struct s
>  
>  	req.peer_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
>  
> -	if (info->attrs[NL80211_ATTR_REASON_CODE])
> +	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
>  		req.reason_code =
>  			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
> +		if (req.reason_code == 0) {
> +			/* Reason Code 0 is reserved */
> +			err = -EINVAL;
> +			goto out;
> +		}
> +	}
>  
>  	if (info->attrs[NL80211_ATTR_IE]) {
>  		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
> 
> -- 
> 

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

[PATCH 3/4] nl80211: Check that netif_runnin is true in cfg80211 code

[Jouni Malinen]

We do not want to require all the drivers using cfg80211 to need to do
this or to be prepared to handle these commands when the interface is
down.

Signed-off-by: Jouni Malinen <jouni.malinen@atheros.com>

---
 net/mac80211/cfg.c     |   25 -------------------------
 net/wireless/nl80211.c |   40 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+), 25 deletions(-)

--- uml.orig/net/mac80211/cfg.c	2009-03-20 18:03:53.000000000 +0200
+++ uml/net/mac80211/cfg.c	2009-03-20 18:03:59.000000000 +0200
@@ -728,10 +728,6 @@ static int ieee80211_add_station(struct 
 	int err;
 	int layer2_update;
 
-	/* Prevent a race with changing the rate control algorithm */
-	if (!netif_running(dev))
-		return -ENETDOWN;
-
 	if (params->vlan) {
 		sdata = IEEE80211_DEV_TO_SUB_IF(params->vlan);
 
@@ -860,9 +856,6 @@ static int ieee80211_add_mpath(struct wi
 	struct sta_info *sta;
 	int err;
 
-	if (!netif_running(dev))
-		return -ENETDOWN;
-
 	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
 
 	if (sdata->vif.type != NL80211_IFTYPE_MESH_POINT)
@@ -913,9 +906,6 @@ static int ieee80211_change_mpath(struct
 	struct mesh_path *mpath;
 	struct sta_info *sta;
 
-	if (!netif_running(dev))
-		return -ENETDOWN;
-
 	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
 
 	if (sdata->vif.type != NL80211_IFTYPE_MESH_POINT)
@@ -1202,9 +1192,6 @@ static int ieee80211_scan(struct wiphy *
 {
 	struct ieee80211_sub_if_data *sdata;
 
-	if (!netif_running(dev))
-		return -ENETDOWN;
-
 	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
 
 	if (sdata->vif.type != NL80211_IFTYPE_STATION &&
@@ -1220,9 +1207,6 @@ static int ieee80211_auth(struct wiphy *
 {
 	struct ieee80211_sub_if_data *sdata;
 
-	if (!netif_running(dev))
-		return -ENETDOWN;
-
 	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
 
 	if (sdata->vif.type != NL80211_IFTYPE_STATION)
@@ -1282,9 +1266,6 @@ static int ieee80211_assoc(struct wiphy 
 	struct ieee80211_sub_if_data *sdata;
 	int ret;
 
-	if (!netif_running(dev))
-		return -ENETDOWN;
-
 	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
 
 	if (sdata->vif.type != NL80211_IFTYPE_STATION)
@@ -1323,9 +1304,6 @@ static int ieee80211_deauth(struct wiphy
 {
 	struct ieee80211_sub_if_data *sdata;
 
-	if (!netif_running(dev))
-		return -ENETDOWN;
-
 	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
 	if (sdata->vif.type != NL80211_IFTYPE_STATION)
 		return -EOPNOTSUPP;
@@ -1339,9 +1317,6 @@ static int ieee80211_disassoc(struct wip
 {
 	struct ieee80211_sub_if_data *sdata;
 
-	if (!netif_running(dev))
-		return -ENETDOWN;
-
 	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
 
 	if (sdata->vif.type != NL80211_IFTYPE_STATION)
--- uml.orig/net/wireless/nl80211.c	2009-03-20 18:03:57.000000000 +0200
+++ uml/net/wireless/nl80211.c	2009-03-20 18:03:59.000000000 +0200
@@ -1556,6 +1556,11 @@ static int nl80211_new_station(struct sk
 		goto out;
 	}
 
+	if (!netif_running(dev)) {
+		err = -ENETDOWN;
+		goto out;
+	}
+
 	err = drv->ops->add_station(&drv->wiphy, dev, mac_addr, &params);
 
  out:
@@ -1808,6 +1813,11 @@ static int nl80211_set_mpath(struct sk_b
 		goto out;
 	}
 
+	if (!netif_running(dev)) {
+		err = -ENETDOWN;
+		goto out;
+	}
+
 	err = drv->ops->change_mpath(&drv->wiphy, dev, dst, next_hop);
 
  out:
@@ -1846,6 +1856,11 @@ static int nl80211_new_mpath(struct sk_b
 		goto out;
 	}
 
+	if (!netif_running(dev)) {
+		err = -ENETDOWN;
+		goto out;
+	}
+
 	err = drv->ops->add_mpath(&drv->wiphy, dev, dst, next_hop);
 
  out:
@@ -2380,6 +2395,11 @@ static int nl80211_trigger_scan(struct s
 		goto out;
 	}
 
+	if (!netif_running(dev)) {
+		err = -ENETDOWN;
+		goto out;
+	}
+
 	if (drv->scan_req) {
 		err = -EBUSY;
 		goto out;
@@ -2641,6 +2661,11 @@ static int nl80211_authenticate(struct s
 		goto out;
 	}
 
+	if (!netif_running(dev)) {
+		err = -ENETDOWN;
+		goto out;
+	}
+
 	if (!info->attrs[NL80211_ATTR_MAC]) {
 		err = -EINVAL;
 		goto out;
@@ -2709,6 +2734,11 @@ static int nl80211_associate(struct sk_b
 		goto out;
 	}
 
+	if (!netif_running(dev)) {
+		err = -ENETDOWN;
+		goto out;
+	}
+
 	if (!info->attrs[NL80211_ATTR_MAC] ||
 	    !info->attrs[NL80211_ATTR_SSID]) {
 		err = -EINVAL;
@@ -2767,6 +2797,11 @@ static int nl80211_deauthenticate(struct
 		goto out;
 	}
 
+	if (!netif_running(dev)) {
+		err = -ENETDOWN;
+		goto out;
+	}
+
 	if (!info->attrs[NL80211_ATTR_MAC]) {
 		err = -EINVAL;
 		goto out;
@@ -2821,6 +2856,11 @@ static int nl80211_disassociate(struct s
 		goto out;
 	}
 
+	if (!netif_running(dev)) {
+		err = -ENETDOWN;
+		goto out;
+	}
+
 	if (!info->attrs[NL80211_ATTR_MAC]) {
 		err = -EINVAL;
 		goto out;

-- 

-- 
Jouni Malinen                                            PGP id EFC895FA

Re: [PATCH 3/4] nl80211: Check that netif_runnin is true in cfg80211 code

[Johannes Berg]

[-- Attachment #1: Type: text/plain, Size: 5307 bytes --]

On Fri, 2009-03-20 at 21:21 +0200, Jouni Malinen wrote:
> plain text document attachment (nl80211-check-netif-running.patch)
> We do not want to require all the drivers using cfg80211 to need to do
> this or to be prepared to handle these commands when the interface is
> down.
> 
> Signed-off-by: Jouni Malinen <jouni.malinen@atheros.com>

Thanks a lot, Jouni.

Acked-by: Johannes Berg <johannes@sipsolutions.net>

> ---
>  net/mac80211/cfg.c     |   25 -------------------------
>  net/wireless/nl80211.c |   40 ++++++++++++++++++++++++++++++++++++++++
>  2 files changed, 40 insertions(+), 25 deletions(-)
> 
> --- uml.orig/net/mac80211/cfg.c	2009-03-20 18:03:53.000000000 +0200
> +++ uml/net/mac80211/cfg.c	2009-03-20 18:03:59.000000000 +0200
> @@ -728,10 +728,6 @@ static int ieee80211_add_station(struct 
>  	int err;
>  	int layer2_update;
>  
> -	/* Prevent a race with changing the rate control algorithm */
> -	if (!netif_running(dev))
> -		return -ENETDOWN;
> -
>  	if (params->vlan) {
>  		sdata = IEEE80211_DEV_TO_SUB_IF(params->vlan);
>  
> @@ -860,9 +856,6 @@ static int ieee80211_add_mpath(struct wi
>  	struct sta_info *sta;
>  	int err;
>  
> -	if (!netif_running(dev))
> -		return -ENETDOWN;
> -
>  	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
>  
>  	if (sdata->vif.type != NL80211_IFTYPE_MESH_POINT)
> @@ -913,9 +906,6 @@ static int ieee80211_change_mpath(struct
>  	struct mesh_path *mpath;
>  	struct sta_info *sta;
>  
> -	if (!netif_running(dev))
> -		return -ENETDOWN;
> -
>  	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
>  
>  	if (sdata->vif.type != NL80211_IFTYPE_MESH_POINT)
> @@ -1202,9 +1192,6 @@ static int ieee80211_scan(struct wiphy *
>  {
>  	struct ieee80211_sub_if_data *sdata;
>  
> -	if (!netif_running(dev))
> -		return -ENETDOWN;
> -
>  	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
>  
>  	if (sdata->vif.type != NL80211_IFTYPE_STATION &&
> @@ -1220,9 +1207,6 @@ static int ieee80211_auth(struct wiphy *
>  {
>  	struct ieee80211_sub_if_data *sdata;
>  
> -	if (!netif_running(dev))
> -		return -ENETDOWN;
> -
>  	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
>  
>  	if (sdata->vif.type != NL80211_IFTYPE_STATION)
> @@ -1282,9 +1266,6 @@ static int ieee80211_assoc(struct wiphy 
>  	struct ieee80211_sub_if_data *sdata;
>  	int ret;
>  
> -	if (!netif_running(dev))
> -		return -ENETDOWN;
> -
>  	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
>  
>  	if (sdata->vif.type != NL80211_IFTYPE_STATION)
> @@ -1323,9 +1304,6 @@ static int ieee80211_deauth(struct wiphy
>  {
>  	struct ieee80211_sub_if_data *sdata;
>  
> -	if (!netif_running(dev))
> -		return -ENETDOWN;
> -
>  	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
>  	if (sdata->vif.type != NL80211_IFTYPE_STATION)
>  		return -EOPNOTSUPP;
> @@ -1339,9 +1317,6 @@ static int ieee80211_disassoc(struct wip
>  {
>  	struct ieee80211_sub_if_data *sdata;
>  
> -	if (!netif_running(dev))
> -		return -ENETDOWN;
> -
>  	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
>  
>  	if (sdata->vif.type != NL80211_IFTYPE_STATION)
> --- uml.orig/net/wireless/nl80211.c	2009-03-20 18:03:57.000000000 +0200
> +++ uml/net/wireless/nl80211.c	2009-03-20 18:03:59.000000000 +0200
> @@ -1556,6 +1556,11 @@ static int nl80211_new_station(struct sk
>  		goto out;
>  	}
>  
> +	if (!netif_running(dev)) {
> +		err = -ENETDOWN;
> +		goto out;
> +	}
> +
>  	err = drv->ops->add_station(&drv->wiphy, dev, mac_addr, &params);
>  
>   out:
> @@ -1808,6 +1813,11 @@ static int nl80211_set_mpath(struct sk_b
>  		goto out;
>  	}
>  
> +	if (!netif_running(dev)) {
> +		err = -ENETDOWN;
> +		goto out;
> +	}
> +
>  	err = drv->ops->change_mpath(&drv->wiphy, dev, dst, next_hop);
>  
>   out:
> @@ -1846,6 +1856,11 @@ static int nl80211_new_mpath(struct sk_b
>  		goto out;
>  	}
>  
> +	if (!netif_running(dev)) {
> +		err = -ENETDOWN;
> +		goto out;
> +	}
> +
>  	err = drv->ops->add_mpath(&drv->wiphy, dev, dst, next_hop);
>  
>   out:
> @@ -2380,6 +2395,11 @@ static int nl80211_trigger_scan(struct s
>  		goto out;
>  	}
>  
> +	if (!netif_running(dev)) {
> +		err = -ENETDOWN;
> +		goto out;
> +	}
> +
>  	if (drv->scan_req) {
>  		err = -EBUSY;
>  		goto out;
> @@ -2641,6 +2661,11 @@ static int nl80211_authenticate(struct s
>  		goto out;
>  	}
>  
> +	if (!netif_running(dev)) {
> +		err = -ENETDOWN;
> +		goto out;
> +	}
> +
>  	if (!info->attrs[NL80211_ATTR_MAC]) {
>  		err = -EINVAL;
>  		goto out;
> @@ -2709,6 +2734,11 @@ static int nl80211_associate(struct sk_b
>  		goto out;
>  	}
>  
> +	if (!netif_running(dev)) {
> +		err = -ENETDOWN;
> +		goto out;
> +	}
> +
>  	if (!info->attrs[NL80211_ATTR_MAC] ||
>  	    !info->attrs[NL80211_ATTR_SSID]) {
>  		err = -EINVAL;
> @@ -2767,6 +2797,11 @@ static int nl80211_deauthenticate(struct
>  		goto out;
>  	}
>  
> +	if (!netif_running(dev)) {
> +		err = -ENETDOWN;
> +		goto out;
> +	}
> +
>  	if (!info->attrs[NL80211_ATTR_MAC]) {
>  		err = -EINVAL;
>  		goto out;
> @@ -2821,6 +2856,11 @@ static int nl80211_disassociate(struct s
>  		goto out;
>  	}
>  
> +	if (!netif_running(dev)) {
> +		err = -ENETDOWN;
> +		goto out;
> +	}
> +
>  	if (!info->attrs[NL80211_ATTR_MAC]) {
>  		err = -EINVAL;
>  		goto out;
> 
> -- 
> 

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

[PATCH 4/4] nl80211: Check iftype in cfg80211 code

[Jouni Malinen]

We do not want to require all the drivers using cfg80211 to need to do
this. In addition, make the error values consistent by using
EOPNOTSUPP instead of semi-random assortment of errno values.

Signed-off-by: Jouni Malinen <jouni.malinen@atheros.com>

---
 net/mac80211/cfg.c     |   40 ----------------------------
 net/wireless/nl80211.c |   68 +++++++++++++++++++++++++++++++++++++++++++++++--
 2 files changed, 66 insertions(+), 42 deletions(-)

--- uml.orig/net/mac80211/cfg.c	2009-03-20 18:03:59.000000000 +0200
+++ uml/net/mac80211/cfg.c	2009-03-20 18:04:01.000000000 +0200
@@ -540,9 +540,6 @@ static int ieee80211_add_beacon(struct w
 
 	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
 
-	if (sdata->vif.type != NL80211_IFTYPE_AP)
-		return -EINVAL;
-
 	old = sdata->u.ap.beacon;
 
 	if (old)
@@ -559,9 +556,6 @@ static int ieee80211_set_beacon(struct w
 
 	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
 
-	if (sdata->vif.type != NL80211_IFTYPE_AP)
-		return -EINVAL;
-
 	old = sdata->u.ap.beacon;
 
 	if (!old)
@@ -577,9 +571,6 @@ static int ieee80211_del_beacon(struct w
 
 	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
 
-	if (sdata->vif.type != NL80211_IFTYPE_AP)
-		return -EINVAL;
-
 	old = sdata->u.ap.beacon;
 
 	if (!old)
@@ -858,9 +849,6 @@ static int ieee80211_add_mpath(struct wi
 
 	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
 
-	if (sdata->vif.type != NL80211_IFTYPE_MESH_POINT)
-		return -ENOTSUPP;
-
 	rcu_read_lock();
 	sta = sta_info_get(local, next_hop);
 	if (!sta) {
@@ -908,9 +896,6 @@ static int ieee80211_change_mpath(struct
 
 	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
 
-	if (sdata->vif.type != NL80211_IFTYPE_MESH_POINT)
-		return -ENOTSUPP;
-
 	rcu_read_lock();
 
 	sta = sta_info_get(local, next_hop);
@@ -979,9 +964,6 @@ static int ieee80211_get_mpath(struct wi
 
 	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
 
-	if (sdata->vif.type != NL80211_IFTYPE_MESH_POINT)
-		return -ENOTSUPP;
-
 	rcu_read_lock();
 	mpath = mesh_path_lookup(dst, sdata);
 	if (!mpath) {
@@ -1003,9 +985,6 @@ static int ieee80211_dump_mpath(struct w
 
 	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
 
-	if (sdata->vif.type != NL80211_IFTYPE_MESH_POINT)
-		return -ENOTSUPP;
-
 	rcu_read_lock();
 	mpath = mesh_path_lookup_by_idx(idx, sdata);
 	if (!mpath) {
@@ -1025,8 +1004,6 @@ static int ieee80211_get_mesh_params(str
 	struct ieee80211_sub_if_data *sdata;
 	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
 
-	if (sdata->vif.type != NL80211_IFTYPE_MESH_POINT)
-		return -ENOTSUPP;
 	memcpy(conf, &(sdata->u.mesh.mshcfg), sizeof(struct mesh_config));
 	return 0;
 }
@@ -1044,9 +1021,6 @@ static int ieee80211_set_mesh_params(str
 	struct ieee80211_sub_if_data *sdata;
 	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
 
-	if (sdata->vif.type != NL80211_IFTYPE_MESH_POINT)
-		return -ENOTSUPP;
-
 	/* Set the config options which we are interested in setting */
 	conf = &(sdata->u.mesh.mshcfg);
 	if (_chg_mesh_attr(NL80211_MESHCONF_RETRY_TIMEOUT, mask))
@@ -1094,9 +1068,6 @@ static int ieee80211_change_bss(struct w
 
 	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
 
-	if (sdata->vif.type != NL80211_IFTYPE_AP)
-		return -EINVAL;
-
 	if (params->use_cts_prot >= 0) {
 		sdata->vif.bss_conf.use_cts_prot = params->use_cts_prot;
 		changed |= BSS_CHANGED_ERP_CTS_PROT;
@@ -1209,9 +1180,6 @@ static int ieee80211_auth(struct wiphy *
 
 	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
 
-	if (sdata->vif.type != NL80211_IFTYPE_STATION)
-		return -EOPNOTSUPP;
-
 	switch (req->auth_type) {
 	case NL80211_AUTHTYPE_OPEN_SYSTEM:
 		sdata->u.mgd.auth_algs = IEEE80211_AUTH_ALG_OPEN;
@@ -1268,9 +1236,6 @@ static int ieee80211_assoc(struct wiphy 
 
 	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
 
-	if (sdata->vif.type != NL80211_IFTYPE_STATION)
-		return -EOPNOTSUPP;
-
 	if (memcmp(sdata->u.mgd.bssid, req->peer_addr, ETH_ALEN) != 0 ||
 	    !(sdata->u.mgd.flags & IEEE80211_STA_AUTHENTICATED))
 		return -ENOLINK; /* not authenticated */
@@ -1305,8 +1270,6 @@ static int ieee80211_deauth(struct wiphy
 	struct ieee80211_sub_if_data *sdata;
 
 	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
-	if (sdata->vif.type != NL80211_IFTYPE_STATION)
-		return -EOPNOTSUPP;
 
 	/* TODO: req->ie */
 	return ieee80211_sta_deauthenticate(sdata, req->reason_code);
@@ -1319,9 +1282,6 @@ static int ieee80211_disassoc(struct wip
 
 	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
 
-	if (sdata->vif.type != NL80211_IFTYPE_STATION)
-		return -EOPNOTSUPP;
-
 	/* TODO: req->ie */
 	return ieee80211_sta_disassociate(sdata, req->reason_code);
 }
--- uml.orig/net/wireless/nl80211.c	2009-03-20 18:03:59.000000000 +0200
+++ uml/net/wireless/nl80211.c	2009-03-20 21:16:18.000000000 +0200
@@ -1049,6 +1049,11 @@ static int nl80211_addset_beacon(struct 
 	if (err)
 		goto unlock_rtnl;
 
+	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP) {
+		err = -EOPNOTSUPP;
+		goto out;
+	}
+
 	switch (info->genlhdr->cmd) {
 	case NL80211_CMD_NEW_BEACON:
 		/* these are required for NEW_BEACON */
@@ -1136,6 +1141,10 @@ static int nl80211_del_beacon(struct sk_
 		goto out;
 	}
 
+	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP) {
+		err = -EOPNOTSUPP;
+		goto out;
+	}
 	err = drv->ops->del_beacon(&drv->wiphy, dev);
 
  out:
@@ -1324,7 +1333,7 @@ static int nl80211_dump_station(struct s
 	}
 
 	if (!dev->ops->dump_station) {
-		err = -ENOSYS;
+		err = -EOPNOTSUPP;
 		goto out_err;
 	}
 
@@ -1698,10 +1707,15 @@ static int nl80211_dump_mpath(struct sk_
 	}
 
 	if (!dev->ops->dump_mpath) {
-		err = -ENOSYS;
+		err = -EOPNOTSUPP;
 		goto out_err;
 	}
 
+	if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT) {
+		err = -EOPNOTSUPP;
+		goto out;
+	}
+
 	while (1) {
 		err = dev->ops->dump_mpath(&dev->wiphy, netdev, path_idx,
 					   dst, next_hop, &pinfo);
@@ -1759,6 +1773,11 @@ static int nl80211_get_mpath(struct sk_b
 		goto out;
 	}
 
+	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT) {
+		err = -EOPNOTSUPP;
+		goto out;
+	}
+
 	err = drv->ops->get_mpath(&drv->wiphy, dev, dst, next_hop, &pinfo);
 	if (err)
 		goto out;
@@ -1813,6 +1832,11 @@ static int nl80211_set_mpath(struct sk_b
 		goto out;
 	}
 
+	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT) {
+		err = -EOPNOTSUPP;
+		goto out;
+	}
+
 	if (!netif_running(dev)) {
 		err = -ENETDOWN;
 		goto out;
@@ -1856,6 +1880,11 @@ static int nl80211_new_mpath(struct sk_b
 		goto out;
 	}
 
+	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT) {
+		err = -EOPNOTSUPP;
+		goto out;
+	}
+
 	if (!netif_running(dev)) {
 		err = -ENETDOWN;
 		goto out;
@@ -1944,6 +1973,11 @@ static int nl80211_set_bss(struct sk_buf
 		goto out;
 	}
 
+	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP) {
+		err = -EOPNOTSUPP;
+		goto out;
+	}
+
 	err = drv->ops->change_bss(&drv->wiphy, dev, &params);
 
  out:
@@ -2058,6 +2092,11 @@ static int nl80211_get_mesh_params(struc
 		goto out;
 	}
 
+	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT) {
+		err = -EOPNOTSUPP;
+		goto out;
+	}
+
 	/* Get the mesh params */
 	err = drv->ops->get_mesh_params(&drv->wiphy, dev, &cur_params);
 	if (err)
@@ -2175,6 +2214,11 @@ static int nl80211_set_mesh_params(struc
 		goto out;
 	}
 
+	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT) {
+		err = -EOPNOTSUPP;
+		goto out;
+	}
+
 	/* This makes sure that there aren't more than 32 mesh config
 	 * parameters (otherwise our bitfield scheme would not work.) */
 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
@@ -2661,6 +2705,11 @@ static int nl80211_authenticate(struct s
 		goto out;
 	}
 
+	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION) {
+		err = -EOPNOTSUPP;
+		goto out;
+	}
+
 	if (!netif_running(dev)) {
 		err = -ENETDOWN;
 		goto out;
@@ -2734,6 +2783,11 @@ static int nl80211_associate(struct sk_b
 		goto out;
 	}
 
+	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION) {
+		err = -EOPNOTSUPP;
+		goto out;
+	}
+
 	if (!netif_running(dev)) {
 		err = -ENETDOWN;
 		goto out;
@@ -2797,6 +2851,11 @@ static int nl80211_deauthenticate(struct
 		goto out;
 	}
 
+	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION) {
+		err = -EOPNOTSUPP;
+		goto out;
+	}
+
 	if (!netif_running(dev)) {
 		err = -ENETDOWN;
 		goto out;
@@ -2856,6 +2915,11 @@ static int nl80211_disassociate(struct s
 		goto out;
 	}
 
+	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION) {
+		err = -EOPNOTSUPP;
+		goto out;
+	}
+
 	if (!netif_running(dev)) {
 		err = -ENETDOWN;
 		goto out;

-- 

-- 
Jouni Malinen                                            PGP id EFC895FA

Re: [PATCH 4/4] nl80211: Check iftype in cfg80211 code

[Johannes Berg]

[-- Attachment #1: Type: text/plain, Size: 9518 bytes --]

On Fri, 2009-03-20 at 21:21 +0200, Jouni Malinen wrote:
> plain text document attachment (nl80211-check-iftype.patch)
> We do not want to require all the drivers using cfg80211 to need to do
> this. In addition, make the error values consistent by using
> EOPNOTSUPP instead of semi-random assortment of errno values.
> 
> Signed-off-by: Jouni Malinen <jouni.malinen@atheros.com>

Great, thanks.

Acked-by: Johannes Berg <johannes@sipsolutions.net>

> ---
>  net/mac80211/cfg.c     |   40 ----------------------------
>  net/wireless/nl80211.c |   68 +++++++++++++++++++++++++++++++++++++++++++++++--
>  2 files changed, 66 insertions(+), 42 deletions(-)
> 
> --- uml.orig/net/mac80211/cfg.c	2009-03-20 18:03:59.000000000 +0200
> +++ uml/net/mac80211/cfg.c	2009-03-20 18:04:01.000000000 +0200
> @@ -540,9 +540,6 @@ static int ieee80211_add_beacon(struct w
>  
>  	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
>  
> -	if (sdata->vif.type != NL80211_IFTYPE_AP)
> -		return -EINVAL;
> -
>  	old = sdata->u.ap.beacon;
>  
>  	if (old)
> @@ -559,9 +556,6 @@ static int ieee80211_set_beacon(struct w
>  
>  	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
>  
> -	if (sdata->vif.type != NL80211_IFTYPE_AP)
> -		return -EINVAL;
> -
>  	old = sdata->u.ap.beacon;
>  
>  	if (!old)
> @@ -577,9 +571,6 @@ static int ieee80211_del_beacon(struct w
>  
>  	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
>  
> -	if (sdata->vif.type != NL80211_IFTYPE_AP)
> -		return -EINVAL;
> -
>  	old = sdata->u.ap.beacon;
>  
>  	if (!old)
> @@ -858,9 +849,6 @@ static int ieee80211_add_mpath(struct wi
>  
>  	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
>  
> -	if (sdata->vif.type != NL80211_IFTYPE_MESH_POINT)
> -		return -ENOTSUPP;
> -
>  	rcu_read_lock();
>  	sta = sta_info_get(local, next_hop);
>  	if (!sta) {
> @@ -908,9 +896,6 @@ static int ieee80211_change_mpath(struct
>  
>  	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
>  
> -	if (sdata->vif.type != NL80211_IFTYPE_MESH_POINT)
> -		return -ENOTSUPP;
> -
>  	rcu_read_lock();
>  
>  	sta = sta_info_get(local, next_hop);
> @@ -979,9 +964,6 @@ static int ieee80211_get_mpath(struct wi
>  
>  	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
>  
> -	if (sdata->vif.type != NL80211_IFTYPE_MESH_POINT)
> -		return -ENOTSUPP;
> -
>  	rcu_read_lock();
>  	mpath = mesh_path_lookup(dst, sdata);
>  	if (!mpath) {
> @@ -1003,9 +985,6 @@ static int ieee80211_dump_mpath(struct w
>  
>  	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
>  
> -	if (sdata->vif.type != NL80211_IFTYPE_MESH_POINT)
> -		return -ENOTSUPP;
> -
>  	rcu_read_lock();
>  	mpath = mesh_path_lookup_by_idx(idx, sdata);
>  	if (!mpath) {
> @@ -1025,8 +1004,6 @@ static int ieee80211_get_mesh_params(str
>  	struct ieee80211_sub_if_data *sdata;
>  	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
>  
> -	if (sdata->vif.type != NL80211_IFTYPE_MESH_POINT)
> -		return -ENOTSUPP;
>  	memcpy(conf, &(sdata->u.mesh.mshcfg), sizeof(struct mesh_config));
>  	return 0;
>  }
> @@ -1044,9 +1021,6 @@ static int ieee80211_set_mesh_params(str
>  	struct ieee80211_sub_if_data *sdata;
>  	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
>  
> -	if (sdata->vif.type != NL80211_IFTYPE_MESH_POINT)
> -		return -ENOTSUPP;
> -
>  	/* Set the config options which we are interested in setting */
>  	conf = &(sdata->u.mesh.mshcfg);
>  	if (_chg_mesh_attr(NL80211_MESHCONF_RETRY_TIMEOUT, mask))
> @@ -1094,9 +1068,6 @@ static int ieee80211_change_bss(struct w
>  
>  	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
>  
> -	if (sdata->vif.type != NL80211_IFTYPE_AP)
> -		return -EINVAL;
> -
>  	if (params->use_cts_prot >= 0) {
>  		sdata->vif.bss_conf.use_cts_prot = params->use_cts_prot;
>  		changed |= BSS_CHANGED_ERP_CTS_PROT;
> @@ -1209,9 +1180,6 @@ static int ieee80211_auth(struct wiphy *
>  
>  	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
>  
> -	if (sdata->vif.type != NL80211_IFTYPE_STATION)
> -		return -EOPNOTSUPP;
> -
>  	switch (req->auth_type) {
>  	case NL80211_AUTHTYPE_OPEN_SYSTEM:
>  		sdata->u.mgd.auth_algs = IEEE80211_AUTH_ALG_OPEN;
> @@ -1268,9 +1236,6 @@ static int ieee80211_assoc(struct wiphy 
>  
>  	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
>  
> -	if (sdata->vif.type != NL80211_IFTYPE_STATION)
> -		return -EOPNOTSUPP;
> -
>  	if (memcmp(sdata->u.mgd.bssid, req->peer_addr, ETH_ALEN) != 0 ||
>  	    !(sdata->u.mgd.flags & IEEE80211_STA_AUTHENTICATED))
>  		return -ENOLINK; /* not authenticated */
> @@ -1305,8 +1270,6 @@ static int ieee80211_deauth(struct wiphy
>  	struct ieee80211_sub_if_data *sdata;
>  
>  	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
> -	if (sdata->vif.type != NL80211_IFTYPE_STATION)
> -		return -EOPNOTSUPP;
>  
>  	/* TODO: req->ie */
>  	return ieee80211_sta_deauthenticate(sdata, req->reason_code);
> @@ -1319,9 +1282,6 @@ static int ieee80211_disassoc(struct wip
>  
>  	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
>  
> -	if (sdata->vif.type != NL80211_IFTYPE_STATION)
> -		return -EOPNOTSUPP;
> -
>  	/* TODO: req->ie */
>  	return ieee80211_sta_disassociate(sdata, req->reason_code);
>  }
> --- uml.orig/net/wireless/nl80211.c	2009-03-20 18:03:59.000000000 +0200
> +++ uml/net/wireless/nl80211.c	2009-03-20 21:16:18.000000000 +0200
> @@ -1049,6 +1049,11 @@ static int nl80211_addset_beacon(struct 
>  	if (err)
>  		goto unlock_rtnl;
>  
> +	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP) {
> +		err = -EOPNOTSUPP;
> +		goto out;
> +	}
> +
>  	switch (info->genlhdr->cmd) {
>  	case NL80211_CMD_NEW_BEACON:
>  		/* these are required for NEW_BEACON */
> @@ -1136,6 +1141,10 @@ static int nl80211_del_beacon(struct sk_
>  		goto out;
>  	}
>  
> +	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP) {
> +		err = -EOPNOTSUPP;
> +		goto out;
> +	}
>  	err = drv->ops->del_beacon(&drv->wiphy, dev);
>  
>   out:
> @@ -1324,7 +1333,7 @@ static int nl80211_dump_station(struct s
>  	}
>  
>  	if (!dev->ops->dump_station) {
> -		err = -ENOSYS;
> +		err = -EOPNOTSUPP;
>  		goto out_err;
>  	}
>  
> @@ -1698,10 +1707,15 @@ static int nl80211_dump_mpath(struct sk_
>  	}
>  
>  	if (!dev->ops->dump_mpath) {
> -		err = -ENOSYS;
> +		err = -EOPNOTSUPP;
>  		goto out_err;
>  	}
>  
> +	if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT) {
> +		err = -EOPNOTSUPP;
> +		goto out;
> +	}
> +
>  	while (1) {
>  		err = dev->ops->dump_mpath(&dev->wiphy, netdev, path_idx,
>  					   dst, next_hop, &pinfo);
> @@ -1759,6 +1773,11 @@ static int nl80211_get_mpath(struct sk_b
>  		goto out;
>  	}
>  
> +	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT) {
> +		err = -EOPNOTSUPP;
> +		goto out;
> +	}
> +
>  	err = drv->ops->get_mpath(&drv->wiphy, dev, dst, next_hop, &pinfo);
>  	if (err)
>  		goto out;
> @@ -1813,6 +1832,11 @@ static int nl80211_set_mpath(struct sk_b
>  		goto out;
>  	}
>  
> +	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT) {
> +		err = -EOPNOTSUPP;
> +		goto out;
> +	}
> +
>  	if (!netif_running(dev)) {
>  		err = -ENETDOWN;
>  		goto out;
> @@ -1856,6 +1880,11 @@ static int nl80211_new_mpath(struct sk_b
>  		goto out;
>  	}
>  
> +	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT) {
> +		err = -EOPNOTSUPP;
> +		goto out;
> +	}
> +
>  	if (!netif_running(dev)) {
>  		err = -ENETDOWN;
>  		goto out;
> @@ -1944,6 +1973,11 @@ static int nl80211_set_bss(struct sk_buf
>  		goto out;
>  	}
>  
> +	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP) {
> +		err = -EOPNOTSUPP;
> +		goto out;
> +	}
> +
>  	err = drv->ops->change_bss(&drv->wiphy, dev, &params);
>  
>   out:
> @@ -2058,6 +2092,11 @@ static int nl80211_get_mesh_params(struc
>  		goto out;
>  	}
>  
> +	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT) {
> +		err = -EOPNOTSUPP;
> +		goto out;
> +	}
> +
>  	/* Get the mesh params */
>  	err = drv->ops->get_mesh_params(&drv->wiphy, dev, &cur_params);
>  	if (err)
> @@ -2175,6 +2214,11 @@ static int nl80211_set_mesh_params(struc
>  		goto out;
>  	}
>  
> +	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT) {
> +		err = -EOPNOTSUPP;
> +		goto out;
> +	}
> +
>  	/* This makes sure that there aren't more than 32 mesh config
>  	 * parameters (otherwise our bitfield scheme would not work.) */
>  	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
> @@ -2661,6 +2705,11 @@ static int nl80211_authenticate(struct s
>  		goto out;
>  	}
>  
> +	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION) {
> +		err = -EOPNOTSUPP;
> +		goto out;
> +	}
> +
>  	if (!netif_running(dev)) {
>  		err = -ENETDOWN;
>  		goto out;
> @@ -2734,6 +2783,11 @@ static int nl80211_associate(struct sk_b
>  		goto out;
>  	}
>  
> +	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION) {
> +		err = -EOPNOTSUPP;
> +		goto out;
> +	}
> +
>  	if (!netif_running(dev)) {
>  		err = -ENETDOWN;
>  		goto out;
> @@ -2797,6 +2851,11 @@ static int nl80211_deauthenticate(struct
>  		goto out;
>  	}
>  
> +	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION) {
> +		err = -EOPNOTSUPP;
> +		goto out;
> +	}
> +
>  	if (!netif_running(dev)) {
>  		err = -ENETDOWN;
>  		goto out;
> @@ -2856,6 +2915,11 @@ static int nl80211_disassociate(struct s
>  		goto out;
>  	}
>  
> +	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION) {
> +		err = -EOPNOTSUPP;
> +		goto out;
> +	}
> +
>  	if (!netif_running(dev)) {
>  		err = -ENETDOWN;
>  		goto out;
> 
> -- 
> 

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 836 bytes --]