diff options
author | Al Viro <viro@zeniv.linux.org.uk> | 2007-12-19 16:45:29 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-01-28 18:08:49 -0500 |
commit | 977b143c13e685081625704ac356b741d71c6a73 (patch) | |
tree | e6ec8f913cedc613eca468c92556719a48885cd2 /drivers | |
parent | 8524f59d4735e1ff9c9dc3e09ebcc7bdb3b32b7b (diff) |
airo: fix transmit_802_11_packet()
a) gaplen would better be stored little-endian
b) for control packets (shorter than 24-byte header) we ended up with
bap_write(ai, hdrlen == 30 ?
(const u16*)&gap.gaplen : (const u16*)&gap, 38 - hdrlen, BAP1);
passing to card the data past the end of gap (i.e. random stuff from stack)
and did _not_ feed the gaplen at the right offset.
c) sending the contents of uninitialized fields of struct is Not Nice(tm) either
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/net/wireless/airo.c | 11 |
1 files changed, 3 insertions, 8 deletions
diff --git a/drivers/net/wireless/airo.c b/drivers/net/wireless/airo.c index be9aa4efeca5..24fa0d62efe4 100644 --- a/drivers/net/wireless/airo.c +++ b/drivers/net/wireless/airo.c | |||
@@ -4365,14 +4365,10 @@ static int transmit_802_11_packet(struct airo_info *ai, int len, char *pPacket) | |||
4365 | Cmd cmd; | 4365 | Cmd cmd; |
4366 | Resp rsp; | 4366 | Resp rsp; |
4367 | int hdrlen; | 4367 | int hdrlen; |
4368 | struct { | 4368 | static u8 tail[(30-10) + 2 + 6] = {[30-10] = 6}; |
4369 | u8 addr4[ETH_ALEN]; | 4369 | /* padding of header to full size + le16 gaplen (6) + gaplen bytes */ |
4370 | u16 gaplen; | ||
4371 | u8 gap[6]; | ||
4372 | } gap; | ||
4373 | u16 txFid = len; | 4370 | u16 txFid = len; |
4374 | len >>= 16; | 4371 | len >>= 16; |
4375 | gap.gaplen = 6; | ||
4376 | 4372 | ||
4377 | fc = le16_to_cpu(*(const u16*)pPacket); | 4373 | fc = le16_to_cpu(*(const u16*)pPacket); |
4378 | switch (fc & 0xc) { | 4374 | switch (fc & 0xc) { |
@@ -4405,8 +4401,7 @@ static int transmit_802_11_packet(struct airo_info *ai, int len, char *pPacket) | |||
4405 | bap_write(ai, &payloadLen, sizeof(payloadLen),BAP1); | 4401 | bap_write(ai, &payloadLen, sizeof(payloadLen),BAP1); |
4406 | if (bap_setup(ai, txFid, 0x0014, BAP1) != SUCCESS) return ERROR; | 4402 | if (bap_setup(ai, txFid, 0x0014, BAP1) != SUCCESS) return ERROR; |
4407 | bap_write(ai, (const u16*)pPacket, hdrlen, BAP1); | 4403 | bap_write(ai, (const u16*)pPacket, hdrlen, BAP1); |
4408 | bap_write(ai, hdrlen == 30 ? | 4404 | bap_write(ai, (u16 *)(tail + (hdrlen - 10)), 38 - hdrlen, BAP1); |
4409 | (const u16*)&gap.gaplen : (const u16*)&gap, 38 - hdrlen, BAP1); | ||
4410 | 4405 | ||
4411 | bap_write(ai, (const u16*)(pPacket + hdrlen), len - hdrlen, BAP1); | 4406 | bap_write(ai, (const u16*)(pPacket + hdrlen), len - hdrlen, BAP1); |
4412 | // issue the transmit command | 4407 | // issue the transmit command |