diff options
| author | Adham Abozaeid <adham.abozaeid@microchip.com> | 2018-05-23 20:02:14 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2018-05-25 12:45:47 -0400 |
| commit | 979eb0c96be97ddefc46cf8659741cf3ffc54fd2 (patch) | |
| tree | 987ff6e5127e0bd32d6793f84f38895201465420 | |
| parent | 173ffd0993fd3e6ec7e0e24424350a807605e6d0 (diff) | |
staging: wilc1000: Avoid overriding rates_no while parsing ies element.
Commit d4b4aaba515a ("staging: wilc1000: fix line over 80 characters in
host_int_parse_join_bss_param()") introduced a bug by not keeping the
rates_no value while parsing ies elements.
It also increments auth_total_cnt as a pointer instead of its reference.
This commit fixes the bug by passing reference to rates_no to
host_int_parse_join_bss_param() and by incrementing reference of
auth_total_cnt
Fixes: d4b4aaba515a (staging: wilc1000: fix line over 80 characters in host_int_parse_join_bss_param())
Signed-off-by: Adham Abozaeid <adham.abozaeid@microchip.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | drivers/staging/wilc1000/host_interface.c | 24 |
1 files changed, 13 insertions, 11 deletions
diff --git a/drivers/staging/wilc1000/host_interface.c b/drivers/staging/wilc1000/host_interface.c index 7b613cd72d22..0aaae33f97b9 100644 --- a/drivers/staging/wilc1000/host_interface.c +++ b/drivers/staging/wilc1000/host_interface.c | |||
| @@ -3813,9 +3813,9 @@ int wilc_setup_multicast_filter(struct wilc_vif *vif, bool enabled, | |||
| 3813 | 3813 | ||
| 3814 | static void host_int_fill_join_bss_param(struct join_bss_param *param, u8 *ies, | 3814 | static void host_int_fill_join_bss_param(struct join_bss_param *param, u8 *ies, |
| 3815 | u16 *out_index, u8 *pcipher_tc, | 3815 | u16 *out_index, u8 *pcipher_tc, |
| 3816 | u8 *auth_total_cnt, u32 tsf_lo) | 3816 | u8 *auth_total_cnt, u32 tsf_lo, |
| 3817 | u8 *rates_no) | ||
| 3817 | { | 3818 | { |
| 3818 | u8 rates_no = 0; | ||
| 3819 | u8 ext_rates_no; | 3819 | u8 ext_rates_no; |
| 3820 | u16 offset; | 3820 | u16 offset; |
| 3821 | u8 pcipher_cnt; | 3821 | u8 pcipher_cnt; |
| @@ -3824,23 +3824,23 @@ static void host_int_fill_join_bss_param(struct join_bss_param *param, u8 *ies, | |||
| 3824 | u16 index = *out_index; | 3824 | u16 index = *out_index; |
| 3825 | 3825 | ||
| 3826 | if (ies[index] == SUPP_RATES_IE) { | 3826 | if (ies[index] == SUPP_RATES_IE) { |
| 3827 | rates_no = ies[index + 1]; | 3827 | *rates_no = ies[index + 1]; |
| 3828 | param->supp_rates[0] = rates_no; | 3828 | param->supp_rates[0] = *rates_no; |
| 3829 | index += 2; | 3829 | index += 2; |
| 3830 | 3830 | ||
| 3831 | for (i = 0; i < rates_no; i++) | 3831 | for (i = 0; i < *rates_no; i++) |
| 3832 | param->supp_rates[i + 1] = ies[index + i]; | 3832 | param->supp_rates[i + 1] = ies[index + i]; |
| 3833 | 3833 | ||
| 3834 | index += rates_no; | 3834 | index += *rates_no; |
| 3835 | } else if (ies[index] == EXT_SUPP_RATES_IE) { | 3835 | } else if (ies[index] == EXT_SUPP_RATES_IE) { |
| 3836 | ext_rates_no = ies[index + 1]; | 3836 | ext_rates_no = ies[index + 1]; |
| 3837 | if (ext_rates_no > (MAX_RATES_SUPPORTED - rates_no)) | 3837 | if (ext_rates_no > (MAX_RATES_SUPPORTED - *rates_no)) |
| 3838 | param->supp_rates[0] = MAX_RATES_SUPPORTED; | 3838 | param->supp_rates[0] = MAX_RATES_SUPPORTED; |
| 3839 | else | 3839 | else |
| 3840 | param->supp_rates[0] += ext_rates_no; | 3840 | param->supp_rates[0] += ext_rates_no; |
| 3841 | index += 2; | 3841 | index += 2; |
| 3842 | for (i = 0; i < (param->supp_rates[0] - rates_no); i++) | 3842 | for (i = 0; i < (param->supp_rates[0] - *rates_no); i++) |
| 3843 | param->supp_rates[rates_no + i + 1] = ies[index + i]; | 3843 | param->supp_rates[*rates_no + i + 1] = ies[index + i]; |
| 3844 | 3844 | ||
| 3845 | index += ext_rates_no; | 3845 | index += ext_rates_no; |
| 3846 | } else if (ies[index] == HT_CAPABILITY_IE) { | 3846 | } else if (ies[index] == HT_CAPABILITY_IE) { |
| @@ -3929,7 +3929,7 @@ static void host_int_fill_join_bss_param(struct join_bss_param *param, u8 *ies, | |||
| 3929 | *policy = ies[rsn_idx + ((j + 1) * 4) - 1]; | 3929 | *policy = ies[rsn_idx + ((j + 1) * 4) - 1]; |
| 3930 | } | 3930 | } |
| 3931 | 3931 | ||
| 3932 | auth_total_cnt += auth_cnt; | 3932 | *auth_total_cnt += auth_cnt; |
| 3933 | rsn_idx += offset; | 3933 | rsn_idx += offset; |
| 3934 | 3934 | ||
| 3935 | if (ies[index] == RSN_IE) { | 3935 | if (ies[index] == RSN_IE) { |
| @@ -3950,6 +3950,7 @@ static void *host_int_parse_join_bss_param(struct network_info *info) | |||
| 3950 | { | 3950 | { |
| 3951 | struct join_bss_param *param = NULL; | 3951 | struct join_bss_param *param = NULL; |
| 3952 | u16 index = 0; | 3952 | u16 index = 0; |
| 3953 | u8 rates_no = 0; | ||
| 3953 | u8 pcipher_total_cnt = 0; | 3954 | u8 pcipher_total_cnt = 0; |
| 3954 | u8 auth_total_cnt = 0; | 3955 | u8 auth_total_cnt = 0; |
| 3955 | 3956 | ||
| @@ -3969,7 +3970,8 @@ static void *host_int_parse_join_bss_param(struct network_info *info) | |||
| 3969 | while (index < info->ies_len) | 3970 | while (index < info->ies_len) |
| 3970 | host_int_fill_join_bss_param(param, info->ies, &index, | 3971 | host_int_fill_join_bss_param(param, info->ies, &index, |
| 3971 | &pcipher_total_cnt, | 3972 | &pcipher_total_cnt, |
| 3972 | &auth_total_cnt, info->tsf_lo); | 3973 | &auth_total_cnt, info->tsf_lo, |
| 3974 | &rates_no); | ||
| 3973 | 3975 | ||
| 3974 | return (void *)param; | 3976 | return (void *)param; |
| 3975 | } | 3977 | } |