diff options
Diffstat (limited to 'net')
-rw-r--r-- | net/mac80211/main.c | 13 | ||||
-rw-r--r-- | net/mac80211/util.c | 2 | ||||
-rw-r--r-- | net/wireless/nl80211.c | 7 |
3 files changed, 21 insertions, 1 deletions
diff --git a/net/mac80211/main.c b/net/mac80211/main.c index fbcbed6cad01..ee58a7873699 100644 --- a/net/mac80211/main.c +++ b/net/mac80211/main.c | |||
@@ -728,7 +728,18 @@ struct ieee80211_hw *ieee80211_alloc_hw(size_t priv_data_len, | |||
728 | return NULL; | 728 | return NULL; |
729 | 729 | ||
730 | wiphy->privid = mac80211_wiphy_privid; | 730 | wiphy->privid = mac80211_wiphy_privid; |
731 | wiphy->max_scan_ssids = 4; | 731 | |
732 | if (!ops->hw_scan) { | ||
733 | /* For hw_scan, driver needs to set these up. */ | ||
734 | wiphy->max_scan_ssids = 4; | ||
735 | |||
736 | /* we support a maximum of 32 rates in cfg80211 */ | ||
737 | wiphy->max_scan_ie_len = IEEE80211_MAX_DATA_LEN | ||
738 | - 2 - 32 /* SSID */ | ||
739 | - 4 - 32 /* (ext) supp rates */; | ||
740 | |||
741 | } | ||
742 | |||
732 | /* Yes, putting cfg80211_bss into ieee80211_bss is a hack */ | 743 | /* Yes, putting cfg80211_bss into ieee80211_bss is a hack */ |
733 | wiphy->bss_priv_size = sizeof(struct ieee80211_bss) - | 744 | wiphy->bss_priv_size = sizeof(struct ieee80211_bss) - |
734 | sizeof(struct cfg80211_bss); | 745 | sizeof(struct cfg80211_bss); |
diff --git a/net/mac80211/util.c b/net/mac80211/util.c index fdf432f14554..05caf34f31da 100644 --- a/net/mac80211/util.c +++ b/net/mac80211/util.c | |||
@@ -890,6 +890,8 @@ void ieee80211_send_probe_req(struct ieee80211_sub_if_data *sdata, u8 *dst, | |||
890 | *pos = rate->bitrate / 5; | 890 | *pos = rate->bitrate / 5; |
891 | } | 891 | } |
892 | 892 | ||
893 | /* if adding more here, adjust max_scan_ie_len */ | ||
894 | |||
893 | if (ie) | 895 | if (ie) |
894 | memcpy(skb_put(skb, ie_len), ie, ie_len); | 896 | memcpy(skb_put(skb, ie_len), ie, ie_len); |
895 | 897 | ||
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 1394115cde95..447fa1790b4e 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c | |||
@@ -181,6 +181,8 @@ static int nl80211_send_wiphy(struct sk_buff *msg, u32 pid, u32 seq, int flags, | |||
181 | NLA_PUT_STRING(msg, NL80211_ATTR_WIPHY_NAME, wiphy_name(&dev->wiphy)); | 181 | NLA_PUT_STRING(msg, NL80211_ATTR_WIPHY_NAME, wiphy_name(&dev->wiphy)); |
182 | NLA_PUT_U8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS, | 182 | NLA_PUT_U8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS, |
183 | dev->wiphy.max_scan_ssids); | 183 | dev->wiphy.max_scan_ssids); |
184 | NLA_PUT_U16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN, | ||
185 | dev->wiphy.max_scan_ie_len); | ||
184 | 186 | ||
185 | nl_modes = nla_nest_start(msg, NL80211_ATTR_SUPPORTED_IFTYPES); | 187 | nl_modes = nla_nest_start(msg, NL80211_ATTR_SUPPORTED_IFTYPES); |
186 | if (!nl_modes) | 188 | if (!nl_modes) |
@@ -2528,6 +2530,11 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info) | |||
2528 | else | 2530 | else |
2529 | ie_len = 0; | 2531 | ie_len = 0; |
2530 | 2532 | ||
2533 | if (ie_len > wiphy->max_scan_ie_len) { | ||
2534 | err = -EINVAL; | ||
2535 | goto out; | ||
2536 | } | ||
2537 | |||
2531 | request = kzalloc(sizeof(*request) | 2538 | request = kzalloc(sizeof(*request) |
2532 | + sizeof(*ssid) * n_ssids | 2539 | + sizeof(*ssid) * n_ssids |
2533 | + sizeof(channel) * n_channels | 2540 | + sizeof(channel) * n_channels |