diff options
| author | Johannes Berg <johannes@sipsolutions.net> | 2008-10-30 17:09:54 -0400 |
|---|---|---|
| committer | John W. Linville <linville@tuxdriver.com> | 2008-11-10 15:11:56 -0500 |
| commit | 2c706002fc147decdba2658ea48e4436faca3af2 (patch) | |
| tree | 3e515fa59e6f7de045579f103cba09cd05293de7 /drivers/net/wireless/airo.c | |
| parent | 9b1fbae4b242cf86a878771eb59dc600dde72ec8 (diff) | |
don't use net/ieee80211.h
Convert all the drivers using net/ieee80211.h to use linux/ieee80211.h.
Contains a bugfix in libertas where the SSID parsing could overrun the
buffer when the AP sends invalid information.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Acked-by: Dan Williams <dcbw@redhat.com> [airo, libertas]
Acked-by: Pavel Roskin <proski@gnu.org> [orinoco]
Acked-by: David Kilroy <kilroyd@googlemail.com> [orinoco]
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers/net/wireless/airo.c')
| -rw-r--r-- | drivers/net/wireless/airo.c | 50 |
1 files changed, 24 insertions, 26 deletions
diff --git a/drivers/net/wireless/airo.c b/drivers/net/wireless/airo.c index c8dc6568cec9..67d504e32290 100644 --- a/drivers/net/wireless/airo.c +++ b/drivers/net/wireless/airo.c | |||
| @@ -47,10 +47,11 @@ | |||
| 47 | #include <linux/ioport.h> | 47 | #include <linux/ioport.h> |
| 48 | #include <linux/pci.h> | 48 | #include <linux/pci.h> |
| 49 | #include <asm/uaccess.h> | 49 | #include <asm/uaccess.h> |
| 50 | #include <net/ieee80211.h> | ||
| 51 | #include <linux/kthread.h> | 50 | #include <linux/kthread.h> |
| 52 | #include <linux/freezer.h> | 51 | #include <linux/freezer.h> |
| 53 | 52 | ||
| 53 | #include <linux/ieee80211.h> | ||
| 54 | |||
| 54 | #include "airo.h" | 55 | #include "airo.h" |
| 55 | 56 | ||
| 56 | #define DRV_NAME "airo" | 57 | #define DRV_NAME "airo" |
| @@ -7265,56 +7266,53 @@ static inline char *airo_translate_scan(struct net_device *dev, | |||
| 7265 | if (test_bit(FLAG_WPA_CAPABLE, &ai->flags)) { | 7266 | if (test_bit(FLAG_WPA_CAPABLE, &ai->flags)) { |
| 7266 | unsigned int num_null_ies = 0; | 7267 | unsigned int num_null_ies = 0; |
| 7267 | u16 length = sizeof (bss->extra.iep); | 7268 | u16 length = sizeof (bss->extra.iep); |
| 7268 | struct ieee80211_info_element *info_element = | 7269 | u8 *ie = (void *)&bss->extra.iep; |
| 7269 | (struct ieee80211_info_element *) &bss->extra.iep; | ||
| 7270 | 7270 | ||
| 7271 | while ((length >= sizeof(*info_element)) && (num_null_ies < 2)) { | 7271 | while ((length >= 2) && (num_null_ies < 2)) { |
| 7272 | if (sizeof(*info_element) + info_element->len > length) { | 7272 | if (2 + ie[1] > length) { |
| 7273 | /* Invalid element, don't continue parsing IE */ | 7273 | /* Invalid element, don't continue parsing IE */ |
| 7274 | break; | 7274 | break; |
| 7275 | } | 7275 | } |
| 7276 | 7276 | ||
| 7277 | switch (info_element->id) { | 7277 | switch (ie[0]) { |
| 7278 | case MFIE_TYPE_SSID: | 7278 | case WLAN_EID_SSID: |
| 7279 | /* Two zero-length SSID elements | 7279 | /* Two zero-length SSID elements |
| 7280 | * mean we're done parsing elements */ | 7280 | * mean we're done parsing elements */ |
| 7281 | if (!info_element->len) | 7281 | if (!ie[1]) |
| 7282 | num_null_ies++; | 7282 | num_null_ies++; |
| 7283 | break; | 7283 | break; |
| 7284 | 7284 | ||
| 7285 | case MFIE_TYPE_GENERIC: | 7285 | case WLAN_EID_GENERIC: |
| 7286 | if (info_element->len >= 4 && | 7286 | if (ie[1] >= 4 && |
| 7287 | info_element->data[0] == 0x00 && | 7287 | ie[2] == 0x00 && |
| 7288 | info_element->data[1] == 0x50 && | 7288 | ie[3] == 0x50 && |
| 7289 | info_element->data[2] == 0xf2 && | 7289 | ie[4] == 0xf2 && |
| 7290 | info_element->data[3] == 0x01) { | 7290 | ie[5] == 0x01) { |
| 7291 | iwe.cmd = IWEVGENIE; | 7291 | iwe.cmd = IWEVGENIE; |
| 7292 | iwe.u.data.length = min(info_element->len + 2, | 7292 | /* 64 is an arbitrary cut-off */ |
| 7293 | MAX_WPA_IE_LEN); | 7293 | iwe.u.data.length = min(ie[1] + 2, |
| 7294 | 64); | ||
| 7294 | current_ev = iwe_stream_add_point( | 7295 | current_ev = iwe_stream_add_point( |
| 7295 | info, current_ev, | 7296 | info, current_ev, |
| 7296 | end_buf, &iwe, | 7297 | end_buf, &iwe, ie); |
| 7297 | (char *) info_element); | ||
| 7298 | } | 7298 | } |
| 7299 | break; | 7299 | break; |
| 7300 | 7300 | ||
| 7301 | case MFIE_TYPE_RSN: | 7301 | case WLAN_EID_RSN: |
| 7302 | iwe.cmd = IWEVGENIE; | 7302 | iwe.cmd = IWEVGENIE; |
| 7303 | iwe.u.data.length = min(info_element->len + 2, | 7303 | /* 64 is an arbitrary cut-off */ |
| 7304 | MAX_WPA_IE_LEN); | 7304 | iwe.u.data.length = min(ie[1] + 2, 64); |
| 7305 | current_ev = iwe_stream_add_point( | 7305 | current_ev = iwe_stream_add_point( |
| 7306 | info, current_ev, end_buf, | 7306 | info, current_ev, end_buf, |
| 7307 | &iwe, (char *) info_element); | 7307 | &iwe, ie); |
| 7308 | break; | 7308 | break; |
| 7309 | 7309 | ||
| 7310 | default: | 7310 | default: |
| 7311 | break; | 7311 | break; |
| 7312 | } | 7312 | } |
| 7313 | 7313 | ||
| 7314 | length -= sizeof(*info_element) + info_element->len; | 7314 | length -= 2 + ie[1]; |
| 7315 | info_element = | 7315 | ie += 2 + ie[1]; |
| 7316 | (struct ieee80211_info_element *)&info_element-> | ||
| 7317 | data[info_element->len]; | ||
| 7318 | } | 7316 | } |
| 7319 | } | 7317 | } |
| 7320 | return current_ev; | 7318 | return current_ev; |