[PATCH] athk6l: Fix channel list processing in scan requests

linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] athk6l: Fix channel list processing in scan requests
@ 2011-09-02 17:07 Jouni Malinen
  2011-09-05  9:05 ` Kalle Valo
  0 siblings, 1 reply; 2+ messages in thread
From: Jouni Malinen @ 2011-09-02 17:07 UTC (permalink / raw)
  To: Kalle Valo; +Cc: linux-wireless

Limit the length of the channel list to WMI_MAX_CHANNELS to avoid
rejection of the request in wmi.c. Since there is not really much
point in using a specific list of more than 32 channels, drop the
channel list if more channels are specified and scan all channels.

Fix cfg80211 scan API use: ar->scan_req must be set only if returning
success from scan() handler. The previous version would result in use
of freed memory and likely kernel panic should the scan request fail
to be sent to the target.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---
 drivers/net/wireless/ath/ath6kl/cfg80211.c |   14 ++++++++++----
 1 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/drivers/net/wireless/ath/ath6kl/cfg80211.c b/drivers/net/wireless/ath/ath6kl/cfg80211.c
index 7db6658..1fe55f6 100644
--- a/drivers/net/wireless/ath/ath6kl/cfg80211.c
+++ b/drivers/net/wireless/ath/ath6kl/cfg80211.c
@@ -793,10 +793,16 @@ static int ath6kl_cfg80211_scan(struct wiphy *wiphy, struct net_device *ndev,
 		}
 	}
 
-	if (request->n_channels > 0) {
+	/*
+	 * Scan only the requested channels if the request specifies a set of
+	 * channels. If the list is longer than the target supports, do not
+	 * configure the list and instead, scan all available channels.
+	 */
+	if (request->n_channels > 0 &&
+	    request->n_channels <= WMI_MAX_CHANNELS) {
 		u8 i;
 
-		n_channels = min(127U, request->n_channels);
+		n_channels = request->n_channels;
 
 		channels = kzalloc(n_channels * sizeof(u16), GFP_KERNEL);
 		if (channels == NULL) {
@@ -813,8 +819,8 @@ static int ath6kl_cfg80211_scan(struct wiphy *wiphy, struct net_device *ndev,
 				       false, 0, 0, n_channels, channels);
 	if (ret)
 		ath6kl_err("wmi_startscan_cmd failed\n");
-
-	ar->scan_req = request;
+	else
+		ar->scan_req = request;
 
 	kfree(channels);
 
-- 
1.7.4.1


-- 
Jouni Malinen                                            PGP id EFC895FA

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] athk6l: Fix channel list processing in scan requests
  2011-09-02 17:07 [PATCH] athk6l: Fix channel list processing in scan requests Jouni Malinen
@ 2011-09-05  9:05 ` Kalle Valo
  0 siblings, 0 replies; 2+ messages in thread
From: Kalle Valo @ 2011-09-05  9:05 UTC (permalink / raw)
  To: Jouni Malinen; +Cc: linux-wireless

On 09/02/2011 08:07 PM, Jouni Malinen wrote:
> Limit the length of the channel list to WMI_MAX_CHANNELS to avoid
> rejection of the request in wmi.c. Since there is not really much
> point in using a specific list of more than 32 channels, drop the
> channel list if more channels are specified and scan all channels.
> 
> Fix cfg80211 scan API use: ar->scan_req must be set only if returning
> success from scan() handler. The previous version would result in use
> of freed memory and likely kernel panic should the scan request fail
> to be sent to the target.

Thanks, applied.

Kalle

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2011-09-05  9:05 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-09-02 17:07 [PATCH] athk6l: Fix channel list processing in scan requests Jouni Malinen
2011-09-05  9:05 ` Kalle Valo

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).