aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/net/wireless/airo.c
diff options
context:
space:
mode:
authorAl Viro <viro@zeniv.linux.org.uk>2007-12-19 16:45:29 -0500
committerDavid S. Miller <davem@davemloft.net>2008-01-28 18:08:49 -0500
commit977b143c13e685081625704ac356b741d71c6a73 (patch)
treee6ec8f913cedc613eca468c92556719a48885cd2 /drivers/net/wireless/airo.c
parent8524f59d4735e1ff9c9dc3e09ebcc7bdb3b32b7b (diff)
airo: fix transmit_802_11_packet()
a) gaplen would better be stored little-endian b) for control packets (shorter than 24-byte header) we ended up with bap_write(ai, hdrlen == 30 ? (const u16*)&gap.gaplen : (const u16*)&gap, 38 - hdrlen, BAP1); passing to card the data past the end of gap (i.e. random stuff from stack) and did _not_ feed the gaplen at the right offset. c) sending the contents of uninitialized fields of struct is Not Nice(tm) either Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers/net/wireless/airo.c')
-rw-r--r--drivers/net/wireless/airo.c11
1 files changed, 3 insertions, 8 deletions
diff --git a/drivers/net/wireless/airo.c b/drivers/net/wireless/airo.c
index be9aa4efeca5..24fa0d62efe4 100644
--- a/drivers/net/wireless/airo.c
+++ b/drivers/net/wireless/airo.c
@@ -4365,14 +4365,10 @@ static int transmit_802_11_packet(struct airo_info *ai, int len, char *pPacket)
4365 Cmd cmd; 4365 Cmd cmd;
4366 Resp rsp; 4366 Resp rsp;
4367 int hdrlen; 4367 int hdrlen;
4368 struct { 4368 static u8 tail[(30-10) + 2 + 6] = {[30-10] = 6};
4369 u8 addr4[ETH_ALEN]; 4369 /* padding of header to full size + le16 gaplen (6) + gaplen bytes */
4370 u16 gaplen;
4371 u8 gap[6];
4372 } gap;
4373 u16 txFid = len; 4370 u16 txFid = len;
4374 len >>= 16; 4371 len >>= 16;
4375 gap.gaplen = 6;
4376 4372
4377 fc = le16_to_cpu(*(const u16*)pPacket); 4373 fc = le16_to_cpu(*(const u16*)pPacket);
4378 switch (fc & 0xc) { 4374 switch (fc & 0xc) {
@@ -4405,8 +4401,7 @@ static int transmit_802_11_packet(struct airo_info *ai, int len, char *pPacket)
4405 bap_write(ai, &payloadLen, sizeof(payloadLen),BAP1); 4401 bap_write(ai, &payloadLen, sizeof(payloadLen),BAP1);
4406 if (bap_setup(ai, txFid, 0x0014, BAP1) != SUCCESS) return ERROR; 4402 if (bap_setup(ai, txFid, 0x0014, BAP1) != SUCCESS) return ERROR;
4407 bap_write(ai, (const u16*)pPacket, hdrlen, BAP1); 4403 bap_write(ai, (const u16*)pPacket, hdrlen, BAP1);
4408 bap_write(ai, hdrlen == 30 ? 4404 bap_write(ai, (u16 *)(tail + (hdrlen - 10)), 38 - hdrlen, BAP1);
4409 (const u16*)&gap.gaplen : (const u16*)&gap, 38 - hdrlen, BAP1);
4410 4405
4411 bap_write(ai, (const u16*)(pPacket + hdrlen), len - hdrlen, BAP1); 4406 bap_write(ai, (const u16*)(pPacket + hdrlen), len - hdrlen, BAP1);
4412 // issue the transmit command 4407 // issue the transmit command