diff options
author | Johannes Berg <johannes@sipsolutions.net> | 2008-10-31 00:09:54 +0300 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2008-11-10 23:11:56 +0300 |
commit | 2c706002fc147decdba2658ea48e4436faca3af2 (patch) | |
tree | 3e515fa59e6f7de045579f103cba09cd05293de7 /drivers/net/wireless/libertas | |
parent | 9b1fbae4b242cf86a878771eb59dc600dde72ec8 (diff) | |
download | linux-2c706002fc147decdba2658ea48e4436faca3af2.tar.xz |
don't use net/ieee80211.h
Convert all the drivers using net/ieee80211.h to use linux/ieee80211.h.
Contains a bugfix in libertas where the SSID parsing could overrun the
buffer when the AP sends invalid information.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Acked-by: Dan Williams <dcbw@redhat.com> [airo, libertas]
Acked-by: Pavel Roskin <proski@gnu.org> [orinoco]
Acked-by: David Kilroy <kilroyd@googlemail.com> [orinoco]
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers/net/wireless/libertas')
-rw-r--r-- | drivers/net/wireless/libertas/assoc.c | 18 | ||||
-rw-r--r-- | drivers/net/wireless/libertas/cmd.c | 5 | ||||
-rw-r--r-- | drivers/net/wireless/libertas/dev.h | 7 | ||||
-rw-r--r-- | drivers/net/wireless/libertas/main.c | 3 | ||||
-rw-r--r-- | drivers/net/wireless/libertas/persistcfg.c | 2 | ||||
-rw-r--r-- | drivers/net/wireless/libertas/scan.c | 77 | ||||
-rw-r--r-- | drivers/net/wireless/libertas/scan.h | 4 | ||||
-rw-r--r-- | drivers/net/wireless/libertas/types.h | 5 | ||||
-rw-r--r-- | drivers/net/wireless/libertas/wext.c | 1 |
9 files changed, 65 insertions, 57 deletions
diff --git a/drivers/net/wireless/libertas/assoc.c b/drivers/net/wireless/libertas/assoc.c index 92863780286f..a0e440cd8967 100644 --- a/drivers/net/wireless/libertas/assoc.c +++ b/drivers/net/wireless/libertas/assoc.c @@ -2,6 +2,8 @@ #include <linux/types.h> #include <linux/etherdevice.h> +#include <linux/ieee80211.h> +#include <linux/if_arp.h> #include <net/lib80211.h> #include "assoc.h" @@ -341,12 +343,12 @@ static int lbs_adhoc_start(struct lbs_private *priv, WARN_ON(!assoc_req->channel); /* set Physical parameter set */ - cmd.phyparamset.dsparamset.elementid = MFIE_TYPE_DS_SET; + cmd.phyparamset.dsparamset.elementid = WLAN_EID_DS_PARAMS; cmd.phyparamset.dsparamset.len = 1; cmd.phyparamset.dsparamset.currentchan = assoc_req->channel; /* set IBSS parameter set */ - cmd.ssparamset.ibssparamset.elementid = MFIE_TYPE_IBSS_SET; + cmd.ssparamset.ibssparamset.elementid = WLAN_EID_IBSS_PARAMS; cmd.ssparamset.ibssparamset.len = 2; cmd.ssparamset.ibssparamset.atimwindow = 0; @@ -430,8 +432,8 @@ static inline int match_bss_no_security(struct lbs_802_11_security *secinfo, { if (!secinfo->wep_enabled && !secinfo->WPAenabled && !secinfo->WPA2enabled - && match_bss->wpa_ie[0] != MFIE_TYPE_GENERIC - && match_bss->rsn_ie[0] != MFIE_TYPE_RSN + && match_bss->wpa_ie[0] != WLAN_EID_GENERIC + && match_bss->rsn_ie[0] != WLAN_EID_RSN && !(match_bss->capability & WLAN_CAPABILITY_PRIVACY)) return 1; else @@ -453,7 +455,7 @@ static inline int match_bss_wpa(struct lbs_802_11_security *secinfo, struct bss_descriptor *match_bss) { if (!secinfo->wep_enabled && secinfo->WPAenabled - && (match_bss->wpa_ie[0] == MFIE_TYPE_GENERIC) + && (match_bss->wpa_ie[0] == WLAN_EID_GENERIC) /* privacy bit may NOT be set in some APs like LinkSys WRT54G && (match_bss->capability & WLAN_CAPABILITY_PRIVACY) */ ) @@ -466,7 +468,7 @@ static inline int match_bss_wpa2(struct lbs_802_11_security *secinfo, struct bss_descriptor *match_bss) { if (!secinfo->wep_enabled && secinfo->WPA2enabled && - (match_bss->rsn_ie[0] == MFIE_TYPE_RSN) + (match_bss->rsn_ie[0] == WLAN_EID_RSN) /* privacy bit may NOT be set in some APs like LinkSys WRT54G (match_bss->capability & WLAN_CAPABILITY_PRIVACY) */ ) @@ -480,8 +482,8 @@ static inline int match_bss_dynamic_wep(struct lbs_802_11_security *secinfo, { if (!secinfo->wep_enabled && !secinfo->WPAenabled && !secinfo->WPA2enabled - && (match_bss->wpa_ie[0] != MFIE_TYPE_GENERIC) - && (match_bss->rsn_ie[0] != MFIE_TYPE_RSN) + && (match_bss->wpa_ie[0] != WLAN_EID_GENERIC) + && (match_bss->rsn_ie[0] != WLAN_EID_RSN) && (match_bss->capability & WLAN_CAPABILITY_PRIVACY)) return 1; else diff --git a/drivers/net/wireless/libertas/cmd.c b/drivers/net/wireless/libertas/cmd.c index 38843c8b919c..957fd5a10a8d 100644 --- a/drivers/net/wireless/libertas/cmd.c +++ b/drivers/net/wireless/libertas/cmd.c @@ -5,7 +5,6 @@ #include <net/iw_handler.h> #include <net/lib80211.h> -#include <net/ieee80211.h> #include <linux/kfifo.h> #include "host.h" #include "hostcmd.h" @@ -1071,7 +1070,7 @@ int lbs_mesh_config(struct lbs_private *priv, uint16_t action, uint16_t chan) switch (action) { case CMD_ACT_MESH_CONFIG_START: - ie->hdr.id = MFIE_TYPE_GENERIC; + ie->id = WLAN_EID_GENERIC; ie->val.oui[0] = 0x00; ie->val.oui[1] = 0x50; ie->val.oui[2] = 0x43; @@ -1083,7 +1082,7 @@ int lbs_mesh_config(struct lbs_private *priv, uint16_t action, uint16_t chan) ie->val.mesh_capability = MARVELL_MESH_CAPABILITY; ie->val.mesh_id_len = priv->mesh_ssid_len; memcpy(ie->val.mesh_id, priv->mesh_ssid, priv->mesh_ssid_len); - ie->hdr.len = sizeof(struct mrvl_meshie_val) - + ie->len = sizeof(struct mrvl_meshie_val) - IW_ESSID_MAX_SIZE + priv->mesh_ssid_len; cmd.length = cpu_to_le16(sizeof(struct mrvl_meshie_val)); break; diff --git a/drivers/net/wireless/libertas/dev.h b/drivers/net/wireless/libertas/dev.h index f6f3753da303..dd682c4cfde8 100644 --- a/drivers/net/wireless/libertas/dev.h +++ b/drivers/net/wireless/libertas/dev.h @@ -10,7 +10,6 @@ #include <linux/wireless.h> #include <linux/ethtool.h> #include <linux/debugfs.h> -#include <net/ieee80211.h> #include "defs.h" #include "hostcmd.h" @@ -278,6 +277,12 @@ struct lbs_private { struct enc_key wpa_mcast_key; struct enc_key wpa_unicast_key; +/* + * In theory, the IE is limited to the IE length, 255, + * but in practice 64 bytes are enough. + */ +#define MAX_WPA_IE_LEN 64 + /** WPA Information Elements*/ u8 wpa_ie[MAX_WPA_IE_LEN]; u8 wpa_ie_len; diff --git a/drivers/net/wireless/libertas/main.c b/drivers/net/wireless/libertas/main.c index 7a1e8b62abf4..241af7fe44bb 100644 --- a/drivers/net/wireless/libertas/main.c +++ b/drivers/net/wireless/libertas/main.c @@ -12,9 +12,8 @@ #include <linux/kthread.h> #include <linux/kfifo.h> #include <linux/stddef.h> - +#include <linux/ieee80211.h> #include <net/iw_handler.h> -#include <net/ieee80211.h> #include "host.h" #include "decl.h" diff --git a/drivers/net/wireless/libertas/persistcfg.c b/drivers/net/wireless/libertas/persistcfg.c index 3309a9c3cfef..56e2401cc768 100644 --- a/drivers/net/wireless/libertas/persistcfg.c +++ b/drivers/net/wireless/libertas/persistcfg.c @@ -233,7 +233,7 @@ static ssize_t mesh_id_set(struct device *dev, struct device_attribute *attr, /* SSID len */ ie->val.mesh_id_len = len; /* IE len */ - ie->hdr.len = sizeof(struct mrvl_meshie_val) - IW_ESSID_MAX_SIZE + len; + ie->len = sizeof(struct mrvl_meshie_val) - IW_ESSID_MAX_SIZE + len; ret = lbs_mesh_config_send(priv, &cmd, CMD_ACT_MESH_CONFIG_SET, CMD_TYPE_MESH_SET_MESH_IE); diff --git a/drivers/net/wireless/libertas/scan.c b/drivers/net/wireless/libertas/scan.c index 5c34ac588189..93f74763a010 100644 --- a/drivers/net/wireless/libertas/scan.c +++ b/drivers/net/wireless/libertas/scan.c @@ -6,8 +6,8 @@ */ #include <linux/types.h> #include <linux/etherdevice.h> +#include <linux/if_arp.h> #include <asm/unaligned.h> - #include <net/lib80211.h> #include "host.h" @@ -55,6 +55,8 @@ //! Scan time specified in the channel TLV for each channel for active scans #define MRVDRV_ACTIVE_SCAN_CHAN_TIME 100 +#define DEFAULT_MAX_SCAN_AGE (15 * HZ) + static int lbs_ret_80211_scan(struct lbs_private *priv, unsigned long dummy, struct cmd_header *resp); @@ -591,38 +593,36 @@ static int lbs_process_bss(struct bss_descriptor *bss, /* process variable IE */ while (pos <= end - 2) { - struct ieee80211_info_element * elem = (void *)pos; - - if (pos + elem->len > end) { + if (pos + pos[1] > end) { lbs_deb_scan("process_bss: error in processing IE, " "bytes left < IE length\n"); break; } - switch (elem->id) { - case MFIE_TYPE_SSID: - bss->ssid_len = min_t(int, 32, elem->len); - memcpy(bss->ssid, elem->data, bss->ssid_len); + switch (pos[0]) { + case WLAN_EID_SSID: + bss->ssid_len = min_t(int, IEEE80211_MAX_SSID_LEN, pos[1]); + memcpy(bss->ssid, pos + 2, bss->ssid_len); lbs_deb_scan("got SSID IE: '%s', len %u\n", print_ssid(ssid, bss->ssid, bss->ssid_len), bss->ssid_len); break; - case MFIE_TYPE_RATES: - n_basic_rates = min_t(uint8_t, MAX_RATES, elem->len); - memcpy(bss->rates, elem->data, n_basic_rates); + case WLAN_EID_SUPP_RATES: + n_basic_rates = min_t(uint8_t, MAX_RATES, pos[1]); + memcpy(bss->rates, pos + 2, n_basic_rates); got_basic_rates = 1; lbs_deb_scan("got RATES IE\n"); break; - case MFIE_TYPE_FH_SET: + case WLAN_EID_FH_PARAMS: pFH = (struct ieeetypes_fhparamset *) pos; memmove(&bss->phyparamset.fhparamset, pFH, sizeof(struct ieeetypes_fhparamset)); lbs_deb_scan("got FH IE\n"); break; - case MFIE_TYPE_DS_SET: + case WLAN_EID_DS_PARAMS: pDS = (struct ieeetypes_dsparamset *) pos; bss->channel = pDS->currentchan; memcpy(&bss->phyparamset.dsparamset, pDS, @@ -630,14 +630,14 @@ static int lbs_process_bss(struct bss_descriptor *bss, lbs_deb_scan("got DS IE, channel %d\n", bss->channel); break; - case MFIE_TYPE_CF_SET: + case WLAN_EID_CF_PARAMS: pCF = (struct ieeetypes_cfparamset *) pos; memcpy(&bss->ssparamset.cfparamset, pCF, sizeof(struct ieeetypes_cfparamset)); lbs_deb_scan("got CF IE\n"); break; - case MFIE_TYPE_IBSS_SET: + case WLAN_EID_IBSS_PARAMS: pibss = (struct ieeetypes_ibssparamset *) pos; bss->atimwindow = le16_to_cpu(pibss->atimwindow); memmove(&bss->ssparamset.ibssparamset, pibss, @@ -645,7 +645,7 @@ static int lbs_process_bss(struct bss_descriptor *bss, lbs_deb_scan("got IBSS IE\n"); break; - case MFIE_TYPE_COUNTRY: + case WLAN_EID_COUNTRY: pcountryinfo = (struct ieeetypes_countryinfoset *) pos; lbs_deb_scan("got COUNTRY IE\n"); if (pcountryinfo->len < sizeof(pcountryinfo->countrycode) @@ -662,7 +662,7 @@ static int lbs_process_bss(struct bss_descriptor *bss, (int) (pcountryinfo->len + 2)); break; - case MFIE_TYPE_RATES_EX: + case WLAN_EID_EXT_SUPP_RATES: /* only process extended supported rate if data rate is * already found. Data rate IE should come before * extended supported rate IE @@ -673,50 +673,51 @@ static int lbs_process_bss(struct bss_descriptor *bss, break; } - n_ex_rates = elem->len; + n_ex_rates = pos[1]; if (n_basic_rates + n_ex_rates > MAX_RATES) n_ex_rates = MAX_RATES - n_basic_rates; p = bss->rates + n_basic_rates; - memcpy(p, elem->data, n_ex_rates); + memcpy(p, pos + 2, n_ex_rates); break; - case MFIE_TYPE_GENERIC: - if (elem->len >= 4 && - elem->data[0] == 0x00 && elem->data[1] == 0x50 && - elem->data[2] == 0xf2 && elem->data[3] == 0x01) { - bss->wpa_ie_len = min(elem->len + 2, MAX_WPA_IE_LEN); - memcpy(bss->wpa_ie, elem, bss->wpa_ie_len); + case WLAN_EID_GENERIC: + if (pos[1] >= 4 && + pos[2] == 0x00 && pos[3] == 0x50 && + pos[4] == 0xf2 && pos[5] == 0x01) { + bss->wpa_ie_len = min(pos[1] + 2, MAX_WPA_IE_LEN); + memcpy(bss->wpa_ie, pos, bss->wpa_ie_len); lbs_deb_scan("got WPA IE\n"); - lbs_deb_hex(LBS_DEB_SCAN, "WPA IE", bss->wpa_ie, elem->len); - } else if (elem->len >= MARVELL_MESH_IE_LENGTH && - elem->data[0] == 0x00 && elem->data[1] == 0x50 && - elem->data[2] == 0x43 && elem->data[3] == 0x04) { + lbs_deb_hex(LBS_DEB_SCAN, "WPA IE", bss->wpa_ie, + bss->wpa_ie_len); + } else if (pos[1] >= MARVELL_MESH_IE_LENGTH && + pos[2] == 0x00 && pos[3] == 0x50 && + pos[4] == 0x43 && pos[4] == 0x04) { lbs_deb_scan("got mesh IE\n"); bss->mesh = 1; } else { lbs_deb_scan("got generic IE: %02x:%02x:%02x:%02x, len %d\n", - elem->data[0], elem->data[1], - elem->data[2], elem->data[3], - elem->len); + pos[2], pos[3], + pos[4], pos[5], + pos[1]); } break; - case MFIE_TYPE_RSN: + case WLAN_EID_RSN: lbs_deb_scan("got RSN IE\n"); - bss->rsn_ie_len = min(elem->len + 2, MAX_WPA_IE_LEN); - memcpy(bss->rsn_ie, elem, bss->rsn_ie_len); + bss->rsn_ie_len = min(pos[1] + 2, MAX_WPA_IE_LEN); + memcpy(bss->rsn_ie, pos, bss->rsn_ie_len); lbs_deb_hex(LBS_DEB_SCAN, "process_bss: RSN_IE", - bss->rsn_ie, elem->len); + bss->rsn_ie, bss->rsn_ie_len); break; default: lbs_deb_scan("got IE 0x%04x, len %d\n", - elem->id, elem->len); + pos[0], pos[1]); break; } - pos += elem->len + 2; + pos += pos[1] + 2; } /* Timestamp */ diff --git a/drivers/net/wireless/libertas/scan.h b/drivers/net/wireless/libertas/scan.h index 9e07b0464a8e..fab7d5d097fc 100644 --- a/drivers/net/wireless/libertas/scan.h +++ b/drivers/net/wireless/libertas/scan.h @@ -7,6 +7,10 @@ #ifndef _LBS_SCAN_H #define _LBS_SCAN_H +#include <net/iw_handler.h> + +#define MAX_NETWORK_COUNT 128 + /** * @brief Maximum number of channels that can be sent in a setuserscan ioctl */ diff --git a/drivers/net/wireless/libertas/types.h b/drivers/net/wireless/libertas/types.h index e0c2599da92f..fb7a2d1a2525 100644 --- a/drivers/net/wireless/libertas/types.h +++ b/drivers/net/wireless/libertas/types.h @@ -7,7 +7,6 @@ #include <linux/if_ether.h> #include <asm/byteorder.h> #include <linux/wireless.h> -#include <net/ieee80211.h> struct ieeetypes_cfparamset { u8 elementid; @@ -258,7 +257,7 @@ struct mrvlietypes_ledbhv { * Note that the len member of the ieee80211_info_element varies depending on * the mesh_id_len */ struct mrvl_meshie_val { - uint8_t oui[P80211_OUI_LEN]; + uint8_t oui[3]; uint8_t type; uint8_t subtype; uint8_t version; @@ -270,7 +269,7 @@ struct mrvl_meshie_val { } __attribute__ ((packed)); struct mrvl_meshie { - struct ieee80211_info_element hdr; + u8 id, len; struct mrvl_meshie_val val; } __attribute__ ((packed)); diff --git a/drivers/net/wireless/libertas/wext.c b/drivers/net/wireless/libertas/wext.c index d4c6a659b562..fe7498f12147 100644 --- a/drivers/net/wireless/libertas/wext.c +++ b/drivers/net/wireless/libertas/wext.c @@ -9,7 +9,6 @@ #include <linux/bitops.h> #include <net/lib80211.h> -#include <net/ieee80211.h> #include <net/iw_handler.h> #include "host.h" |