mwifiex: fix memory corruption when unsetting multicast list

When trying to unset a previously-set multicast list (i.e. the new list has 0 entries), mwifiex_set_multicast_list() was calling down to mwifiex_request_set_multicast_list() while leaving mcast_list.num_multicast_addr as an uninitialized value. We were arriving at mwifiex_cmd_mac_multicast_adr() which would then proceed to do an often huge memcpy of mcast_list.num_multicast_addr*ETH_ALEN bytes, causing memory corruption and hard to debug crashes. Fix this by setting mcast_list.num_multicast_addr to 0 when no multicast list is provided. Similarly, fix up the logic in mwifiex_request_set_multicast_list() to unset the multicast list that was previously sent to the hardware in such cases. Signed-off-by: Daniel Drake <dsd@laptop.org> Acked-by: Bing Zhao <bzhao@marvell.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
author: Daniel Drake <dsd@laptop.org> 2013-06-14 15:24:24 -0400
committer: John W. Linville <linville@tuxdriver.com> 2013-06-17 14:38:51 -0400
commit: 6390d88529835a8ad3563fe01a5da89fa52d6db2 (patch)
tree: 0761f683f4a31ff7cdba5c1e1ed9cfd9d1422e4e /drivers/net/wireless/mwifiex/sta_ioctl.c
parent: 3c68ef5b2223e084402a4fedbd4c31774f012f4f (diff)
1 files changed, 8 insertions, 10 deletions
diff --git a/drivers/net/wireless/mwifiex/sta_ioctl.c b/drivers/net/wireless/mwifiex/sta_ioctl.c
index 1a8a19dbd635..23aa910bc5d0 100644
--- a/drivers/net/wireless/mwifiex/sta_ioctl.c
+++ b/drivers/net/wireless/mwifiex/sta_ioctl.c
@@ -104,16 +104,14 @@ int mwifiex_request_set_multicast_list(struct mwifiex_private *priv,
                } else {
                        priv->curr_pkt_filter &=
                                ~HostCmd_ACT_MAC_ALL_MULTICAST_ENABLE;
-                        if (mcast_list->num_multicast_addr) {
+                        dev_dbg(priv->adapter->dev,
-                                dev_dbg(priv->adapter->dev,
+                                "info: Set multicast list=%d\n",
-                                        "info: Set multicast list=%d\n",
+                                mcast_list->num_multicast_addr);
-                                       mcast_list->num_multicast_addr);
+                        /* Send multicast addresses to firmware */
-                                /* Send multicast addresses to firmware */
+                        ret = mwifiex_send_cmd_async(priv,
-                                ret = mwifiex_send_cmd_async(priv,
+                                HostCmd_CMD_MAC_MULTICAST_ADR,
-                                        HostCmd_CMD_MAC_MULTICAST_ADR,
+                                HostCmd_ACT_GEN_SET, 0,
-                                        HostCmd_ACT_GEN_SET, 0,
+                                mcast_list);
-                                        mcast_list);
-                        }
                }
        }
        dev_dbg(priv->adapter->dev,
author	Daniel Drake <dsd@laptop.org>	2013-06-14 15:24:24 -0400
committer	John W. Linville <linville@tuxdriver.com>	2013-06-17 14:38:51 -0400
commit	6390d88529835a8ad3563fe01a5da89fa52d6db2 (patch)
tree	0761f683f4a31ff7cdba5c1e1ed9cfd9d1422e4e /drivers/net/wireless/mwifiex/sta_ioctl.c
parent	3c68ef5b2223e084402a4fedbd4c31774f012f4f (diff)

diff --git a/drivers/net/wireless/mwifiex/sta_ioctl.c b/drivers/net/wireless/mwifiex/sta_ioctl.c index 1a8a19dbd635..23aa910bc5d0 100644 --- a/drivers/net/wireless/mwifiex/sta_ioctl.c +++ b/drivers/net/wireless/mwifiex/sta_ioctl.c
@@ -104,16 +104,14 @@ int mwifiex_request_set_multicast_list(struct mwifiex_private *priv,
104	} else {	104	} else {
105	priv->curr_pkt_filter &=	105	priv->curr_pkt_filter &=
106	~HostCmd_ACT_MAC_ALL_MULTICAST_ENABLE;	106	~HostCmd_ACT_MAC_ALL_MULTICAST_ENABLE;
107	if (mcast_list->num_multicast_addr) {	107	dev_dbg(priv->adapter->dev,
108	dev_dbg(priv->adapter->dev,	108	"info: Set multicast list=%d\n",
109	"info: Set multicast list=%d\n",	109	mcast_list->num_multicast_addr);
110	mcast_list->num_multicast_addr);	110	/* Send multicast addresses to firmware */
111	/* Send multicast addresses to firmware */	111	ret = mwifiex_send_cmd_async(priv,
112	ret = mwifiex_send_cmd_async(priv,	112	HostCmd_CMD_MAC_MULTICAST_ADR,
113	HostCmd_CMD_MAC_MULTICAST_ADR,	113	HostCmd_ACT_GEN_SET, 0,
114	HostCmd_ACT_GEN_SET, 0,	114	mcast_list);
115	mcast_list);
116	}
117	}	115	}
118	}	116	}
119	dev_dbg(priv->adapter->dev,	117	dev_dbg(priv->adapter->dev,