diff options
Diffstat (limited to 'drivers/staging')
4 files changed, 80 insertions, 26 deletions
diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_assoc.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_assoc.c index 58a5524fd77..a6eb85cfa0a 100644 --- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_assoc.c +++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_assoc.c @@ -2652,7 +2652,7 @@ static eHalStatus roamRoamConnectStatusUpdateHandler( hdd_adapter_t *pAdapter, t case eCSR_ROAM_RESULT_IBSS_NEW_PEER: { hdd_station_ctx_t *pHddStaCtx = WLAN_HDD_GET_STATION_CTX_PTR(pAdapter); - struct station_info *staInfo; + struct station_info *stainfo; pr_info ( "IBSS New Peer indication from SME " "with peerMac " MAC_ADDRESS_STR " BSSID: " MAC_ADDRESS_STR " and stationID= %d", @@ -2686,22 +2686,20 @@ static eHalStatus roamRoamConnectStatusUpdateHandler( hdd_adapter_t *pAdapter, t vosStatus, vosStatus ); } pHddStaCtx->ibss_sta_generation++; - - staInfo = vos_mem_malloc(sizeof(*staInfo)); - if (staInfo == NULL) { + stainfo = vos_mem_malloc(sizeof(*stainfo)); + if (stainfo == NULL) { VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR, "memory allocation for station_info failed"); return eHAL_STATUS_FAILED_ALLOC; } - - memset(staInfo, 0, sizeof(*staInfo)); - staInfo->filled = 0; - staInfo->generation = pHddStaCtx->ibss_sta_generation; + memset(stainfo, 0, sizeof(*stainfo)); + stainfo->filled = 0; + stainfo->generation = pHddStaCtx->ibss_sta_generation; cfg80211_new_sta(pAdapter->dev, - (const u8 *)pRoamInfo->peerMac, - staInfo, GFP_KERNEL); - vos_mem_free(staInfo); + (const u8 *)pRoamInfo->peerMac, + stainfo, GFP_KERNEL); + vos_mem_free(stainfo); if ( eCSR_ENCRYPT_TYPE_WEP40_STATICKEY == pHddStaCtx->ibss_enc_key.encType ||eCSR_ENCRYPT_TYPE_WEP104_STATICKEY == pHddStaCtx->ibss_enc_key.encType diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_cfg80211.c index ebb6cd52bde..d64f2eb036d 100644 --- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_cfg80211.c +++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_cfg80211.c @@ -3500,10 +3500,20 @@ static int __wlan_hdd_cfg80211_extscan_set_bssid_hotlist(struct wiphy *wiphy, pReqMsg->numAp = nla_get_u32( tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_BSSID_HOTLIST_PARAMS_NUM_AP]); + if (pReqMsg->numAp > WLAN_EXTSCAN_MAX_HOTLIST_APS) { + hddLog(LOGE, FL("Number of AP: %u exceeds max: %u"), + pReqMsg->numAp, WLAN_EXTSCAN_MAX_HOTLIST_APS); + goto fail; + } hddLog(VOS_TRACE_LEVEL_INFO, FL("Number of AP (%d)"), pReqMsg->numAp); nla_for_each_nested(apTh, tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM], rem) { + if (i == pReqMsg->numAp) { + hddLog(LOGW, FL("Ignoring excess AP")); + break; + } + if(nla_parse(tb2, QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX, nla_data(apTh), nla_len(apTh), NULL)) { @@ -3551,6 +3561,13 @@ static int __wlan_hdd_cfg80211_extscan_set_bssid_hotlist(struct wiphy *wiphy, FL("Channel (%u)"), pReqMsg->ap[i].channel); i++; } + + if (i < pReqMsg->numAp) { + hddLog(LOGW, FL("Number of AP %u less than expected %u"), + i, pReqMsg->numAp); + pReqMsg->numAp = i; + } + status = sme_SetBssHotlist(pHddCtx->hHal, pReqMsg); if (!HAL_STATUS_SUCCESS(status)) { hddLog(VOS_TRACE_LEVEL_ERROR, @@ -3678,6 +3695,11 @@ static int __wlan_hdd_cfg80211_extscan_set_significant_change(struct wiphy *wiph } pReqMsg->numAp = nla_get_u32( tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_NUM_AP]); + if (pReqMsg->numAp > WLAN_EXTSCAN_MAX_SIGNIFICANT_CHANGE_APS) { + hddLog(LOGE, FL("Number of AP %u exceeds max %u"), + pReqMsg->numAp, WLAN_EXTSCAN_MAX_SIGNIFICANT_CHANGE_APS); + goto fail; + } hddLog(VOS_TRACE_LEVEL_INFO, FL("Number of AP (%d)"), pReqMsg->numAp); pReqMsg->sessionId = pAdapter->sessionId; @@ -3685,6 +3707,12 @@ static int __wlan_hdd_cfg80211_extscan_set_significant_change(struct wiphy *wiph nla_for_each_nested(apTh, tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM], rem) { + + if (i == pReqMsg->numAp) { + hddLog(LOGW, FL("Ignoring excess AP")); + break; + } + if(nla_parse(tb2, QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX, nla_data(apTh), nla_len(apTh), @@ -3733,6 +3761,12 @@ static int __wlan_hdd_cfg80211_extscan_set_significant_change(struct wiphy *wiph i++; } + if (i < pReqMsg->numAp) { + hddLog(LOGW, FL("Number of AP %u less than expected %u"), + i, pReqMsg->numAp); + pReqMsg->numAp = i; + } + status = sme_SetSignificantChange(pHddCtx->hHal, pReqMsg); if (!HAL_STATUS_SUCCESS(status)) { hddLog(VOS_TRACE_LEVEL_ERROR, @@ -8817,6 +8851,15 @@ static int __wlan_hdd_change_station(struct wiphy *wiphy, } StaParams.supported_channels_len = j; } + if (params->supported_oper_classes_len > + SIR_MAC_MAX_SUPP_OPER_CLASSES) { + VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO, + "received oper classes:%d, resetting it to max supported %d", + params->supported_oper_classes_len, + SIR_MAC_MAX_SUPP_OPER_CLASSES); + params->supported_oper_classes_len = + SIR_MAC_MAX_SUPP_OPER_CLASSES; + } vos_mem_copy(StaParams.supported_oper_classes, params->supported_oper_classes, params->supported_oper_classes_len); @@ -16572,6 +16615,12 @@ static int __wlan_hdd_cfg80211_testmode(struct wiphy *wiphy, void *data, int len (hb_params_temp->params.lphbTcpParamReq.timePeriodSec == 0)) return -EINVAL; + if (buf_len > sizeof(*hb_params)) { + hddLog(LOGE, FL("buf_len=%d exceeded hb_params size limit"), + buf_len); + return -ERANGE; + } + hb_params = (tSirLPHBReq *)vos_mem_malloc(sizeof(tSirLPHBReq)); if (NULL == hb_params) { diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c index a1a31fa030c..3f37bf929a8 100644 --- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c +++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c @@ -1056,28 +1056,28 @@ VOS_STATUS hdd_hostapd_SAPEventCB( tpSap_Event pSapEvent, v_PVOID_t usrDataForCa #endif #if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,38)) { - struct station_info *staInfo; v_U16_t iesLen = pSapEvent->sapevt.sapStationAssocReassocCompleteEvent.iesLen; - staInfo = vos_mem_malloc(sizeof(*staInfo)); - if (staInfo == NULL) { - hddLog(LOGE, FL("alloc station_info failed")); - return VOS_STATUS_E_NOMEM; - } - - memset(staInfo, 0, sizeof(*staInfo)); if (iesLen <= MAX_ASSOC_IND_IE_LEN ) { - staInfo->assoc_req_ies = + struct station_info *stainfo; + stainfo = vos_mem_malloc(sizeof(*stainfo)); + if (stainfo == NULL) { + hddLog(LOGE, FL("alloc station_info failed")); + return VOS_STATUS_E_NOMEM; + } + memset(stainfo, 0, sizeof(*stainfo)); + + stainfo->assoc_req_ies = (const u8 *)&pSapEvent->sapevt.sapStationAssocReassocCompleteEvent.ies[0]; - staInfo->assoc_req_ies_len = iesLen; + stainfo->assoc_req_ies_len = iesLen; #if (LINUX_VERSION_CODE >= KERNEL_VERSION(3,0,31)) - staInfo->filled |= STATION_INFO_ASSOC_REQ_IES; + stainfo->filled |= STATION_INFO_ASSOC_REQ_IES; #endif cfg80211_new_sta(dev, (const u8 *)&pSapEvent->sapevt.sapStationAssocReassocCompleteEvent.staMac.bytes[0], - staInfo, GFP_KERNEL); - vos_mem_free(staInfo); + stainfo, GFP_KERNEL); + vos_mem_free(stainfo); } else { @@ -3972,6 +3972,13 @@ static int __iw_set_ap_genie(struct net_device *dev, return 0; } + if (wrqu->data.length > DOT11F_IE_RSN_MAX_LEN) { + VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR, + "%s: WPARSN Ie input length is more than max[%d]", __func__, + wrqu->data.length); + return -EINVAL; + } + switch (genie[0]) { case DOT11F_EID_WPA: diff --git a/drivers/staging/prima/CORE/MAC/src/pe/sch/schBeaconProcess.c b/drivers/staging/prima/CORE/MAC/src/pe/sch/schBeaconProcess.c index 89c509272ce..656533e2515 100644 --- a/drivers/staging/prima/CORE/MAC/src/pe/sch/schBeaconProcess.c +++ b/drivers/staging/prima/CORE/MAC/src/pe/sch/schBeaconProcess.c @@ -469,8 +469,8 @@ static void __schBeaconProcessForSession( tpAniSirGlobal pMac, sendProbeReq = TRUE; } - if ( psessionEntry->htCapability && pBeacon->HTInfo.present && - (!LIM_IS_IBSS_ROLE(psessionEntry))) + if (psessionEntry->htCapability && pBeacon->HTInfo.present && + (!LIM_IS_IBSS_ROLE(psessionEntry))) { limUpdateStaRunTimeHTSwitchChnlParams( pMac, &pBeacon->HTInfo, bssIdx,psessionEntry); } |