aboutsummaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorMichael Buesch <mb@bu3sch.de>2006-05-05 11:23:51 -0400
committerJohn W. Linville <linville@tuxdriver.com>2006-05-05 16:55:23 -0400
commit869aaab1812c4212e65fb181e94b824cf49f9509 (patch)
tree224829a8847e7aff4bd001de972123f4cd0fbeb0 /drivers
parentf9f7b9602ecb66f55718d6d1afa3e2b1e721b22d (diff)
[PATCH] bcm43xx: Fix array overrun in bcm43xx_geo_init
The problem here is that the bcm34xx driver and the ieee80211 stack do not agree on what channels are possible for 802.11a. The ieee80211 stack only wants channels between 34 and 165, while the bcm43xx driver accepts anything from 0 to 200. I made the bcm43xx driver comply with the ieee80211 stack expectations, by using the proper constants. Signed-off-by: Jean Delvare <jdelvare@suse.de> [mb]: Reduce stack usage by kzalloc-ing ieee80211_geo Signed-off-by: Michael Buesch <mb@bu3sch.de> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/net/wireless/bcm43xx/bcm43xx_main.c43
-rw-r--r--drivers/net/wireless/bcm43xx/bcm43xx_main.h6
2 files changed, 30 insertions, 19 deletions
diff --git a/drivers/net/wireless/bcm43xx/bcm43xx_main.c b/drivers/net/wireless/bcm43xx/bcm43xx_main.c
index 4be2d9b5749b..e2982a83ae42 100644
--- a/drivers/net/wireless/bcm43xx/bcm43xx_main.c
+++ b/drivers/net/wireless/bcm43xx/bcm43xx_main.c
@@ -939,9 +939,9 @@ static int bcm43xx_sprom_extract(struct bcm43xx_private *bcm)
939 return 0; 939 return 0;
940} 940}
941 941
942static void bcm43xx_geo_init(struct bcm43xx_private *bcm) 942static int bcm43xx_geo_init(struct bcm43xx_private *bcm)
943{ 943{
944 struct ieee80211_geo geo; 944 struct ieee80211_geo *geo;
945 struct ieee80211_channel *chan; 945 struct ieee80211_channel *chan;
946 int have_a = 0, have_bg = 0; 946 int have_a = 0, have_bg = 0;
947 int i; 947 int i;
@@ -949,7 +949,10 @@ static void bcm43xx_geo_init(struct bcm43xx_private *bcm)
949 struct bcm43xx_phyinfo *phy; 949 struct bcm43xx_phyinfo *phy;
950 const char *iso_country; 950 const char *iso_country;
951 951
952 memset(&geo, 0, sizeof(geo)); 952 geo = kzalloc(sizeof(*geo), GFP_KERNEL);
953 if (!geo)
954 return -ENOMEM;
955
953 for (i = 0; i < bcm->nr_80211_available; i++) { 956 for (i = 0; i < bcm->nr_80211_available; i++) {
954 phy = &(bcm->core_80211_ext[i].phy); 957 phy = &(bcm->core_80211_ext[i].phy);
955 switch (phy->type) { 958 switch (phy->type) {
@@ -967,31 +970,36 @@ static void bcm43xx_geo_init(struct bcm43xx_private *bcm)
967 iso_country = bcm43xx_locale_iso(bcm->sprom.locale); 970 iso_country = bcm43xx_locale_iso(bcm->sprom.locale);
968 971
969 if (have_a) { 972 if (have_a) {
970 for (i = 0, channel = 0; channel < 201; channel++) { 973 for (i = 0, channel = IEEE80211_52GHZ_MIN_CHANNEL;
971 chan = &geo.a[i++]; 974 channel <= IEEE80211_52GHZ_MAX_CHANNEL; channel++) {
975 chan = &geo->a[i++];
972 chan->freq = bcm43xx_channel_to_freq_a(channel); 976 chan->freq = bcm43xx_channel_to_freq_a(channel);
973 chan->channel = channel; 977 chan->channel = channel;
974 } 978 }
975 geo.a_channels = i; 979 geo->a_channels = i;
976 } 980 }
977 if (have_bg) { 981 if (have_bg) {
978 for (i = 0, channel = 1; channel < 15; channel++) { 982 for (i = 0, channel = IEEE80211_24GHZ_MIN_CHANNEL;
979 chan = &geo.bg[i++]; 983 channel <= IEEE80211_24GHZ_MAX_CHANNEL; channel++) {
984 chan = &geo->bg[i++];
980 chan->freq = bcm43xx_channel_to_freq_bg(channel); 985 chan->freq = bcm43xx_channel_to_freq_bg(channel);
981 chan->channel = channel; 986 chan->channel = channel;
982 } 987 }
983 geo.bg_channels = i; 988 geo->bg_channels = i;
984 } 989 }
985 memcpy(geo.name, iso_country, 2); 990 memcpy(geo->name, iso_country, 2);
986 if (0 /*TODO: Outdoor use only */) 991 if (0 /*TODO: Outdoor use only */)
987 geo.name[2] = 'O'; 992 geo->name[2] = 'O';
988 else if (0 /*TODO: Indoor use only */) 993 else if (0 /*TODO: Indoor use only */)
989 geo.name[2] = 'I'; 994 geo->name[2] = 'I';
990 else 995 else
991 geo.name[2] = ' '; 996 geo->name[2] = ' ';
992 geo.name[3] = '\0'; 997 geo->name[3] = '\0';
998
999 ieee80211_set_geo(bcm->ieee, geo);
1000 kfree(geo);
993 1001
994 ieee80211_set_geo(bcm->ieee, &geo); 1002 return 0;
995} 1003}
996 1004
997/* DummyTransmission function, as documented on 1005/* DummyTransmission function, as documented on
@@ -3479,6 +3487,9 @@ static int bcm43xx_attach_board(struct bcm43xx_private *bcm)
3479 goto err_80211_unwind; 3487 goto err_80211_unwind;
3480 bcm43xx_wireless_core_disable(bcm); 3488 bcm43xx_wireless_core_disable(bcm);
3481 } 3489 }
3490 err = bcm43xx_geo_init(bcm);
3491 if (err)
3492 goto err_80211_unwind;
3482 bcm43xx_pctl_set_crystal(bcm, 0); 3493 bcm43xx_pctl_set_crystal(bcm, 0);
3483 3494
3484 /* Set the MAC address in the networking subsystem */ 3495 /* Set the MAC address in the networking subsystem */
@@ -3487,8 +3498,6 @@ static int bcm43xx_attach_board(struct bcm43xx_private *bcm)
3487 else 3498 else
3488 memcpy(bcm->net_dev->dev_addr, bcm->sprom.il0macaddr, 6); 3499 memcpy(bcm->net_dev->dev_addr, bcm->sprom.il0macaddr, 6);
3489 3500
3490 bcm43xx_geo_init(bcm);
3491
3492 snprintf(bcm->nick, IW_ESSID_MAX_SIZE, 3501 snprintf(bcm->nick, IW_ESSID_MAX_SIZE,
3493 "Broadcom %04X", bcm->chip_id); 3502 "Broadcom %04X", bcm->chip_id);
3494 3503
diff --git a/drivers/net/wireless/bcm43xx/bcm43xx_main.h b/drivers/net/wireless/bcm43xx/bcm43xx_main.h
index eca79a38594a..30a202b258b5 100644
--- a/drivers/net/wireless/bcm43xx/bcm43xx_main.h
+++ b/drivers/net/wireless/bcm43xx/bcm43xx_main.h
@@ -118,12 +118,14 @@ int bcm43xx_channel_to_freq(struct bcm43xx_private *bcm,
118static inline 118static inline
119int bcm43xx_is_valid_channel_a(u8 channel) 119int bcm43xx_is_valid_channel_a(u8 channel)
120{ 120{
121 return (channel <= 200); 121 return (channel >= IEEE80211_52GHZ_MIN_CHANNEL
122 && channel <= IEEE80211_52GHZ_MAX_CHANNEL);
122} 123}
123static inline 124static inline
124int bcm43xx_is_valid_channel_bg(u8 channel) 125int bcm43xx_is_valid_channel_bg(u8 channel)
125{ 126{
126 return (channel >= 1 && channel <= 14); 127 return (channel >= IEEE80211_24GHZ_MIN_CHANNEL
128 && channel <= IEEE80211_24GHZ_MAX_CHANNEL);
127} 129}
128static inline 130static inline
129int bcm43xx_is_valid_channel(struct bcm43xx_private *bcm, 131int bcm43xx_is_valid_channel(struct bcm43xx_private *bcm,