From: Jes Sorensen Date: Thu, 19 Jun 2014 09:37:29 +0000 (+0200) Subject: staging: rtl8723au: issue_probersp(): Do not copy the IEs in front of probe_resp... X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=08519034b3f75e030582724b9f1a280a5b0cfb73;p=GitHub%2FLineageOS%2FG12%2Fandroid_kernel_amlogic_linux-4.9.git staging: rtl8723au: issue_probersp(): Do not copy the IEs in front of probe_resp data Another case where the driver was copying IEs in front of the probe_resp data in the management frame, when running in AP mode. This would result in badly corrupted frames hitting the wire - ouf ouf ouf! Signed-off-by: Jes Sorensen Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/rtl8723au/core/rtw_mlme_ext.c b/drivers/staging/rtl8723au/core/rtw_mlme_ext.c index 9b83a701ccb2..d2a09c653e72 100644 --- a/drivers/staging/rtl8723au/core/rtw_mlme_ext.c +++ b/drivers/staging/rtl8723au/core/rtw_mlme_ext.c @@ -2544,7 +2544,7 @@ static void issue_probersp(struct rtw_adapter *padapter, unsigned char *da, struct xmit_frame *pmgntframe; struct pkt_attrib *pattrib; unsigned char *pframe; - struct ieee80211_hdr *pwlanhdr; + struct ieee80211_mgmt *mgmt; unsigned char *mac, *bssid; struct xmit_priv *pxmitpriv = &padapter->xmitpriv; #ifdef CONFIG_8723AU_AP_MODE @@ -2564,6 +2564,9 @@ static void issue_probersp(struct rtw_adapter *padapter, unsigned char *da, /* DBG_8723A("%s\n", __func__); */ + if (cur_network->IELength > MAX_IE_SZ) + return; + pmgntframe = alloc_mgtxmitframe23a(pxmitpriv); if (!pmgntframe) { DBG_8723A("%s, alloc mgnt frame fail\n", __func__); @@ -2577,28 +2580,35 @@ static void issue_probersp(struct rtw_adapter *padapter, unsigned char *da, memset(pmgntframe->buf_addr, 0, WLANHDR_OFFSET + TXDESC_OFFSET); pframe = (u8 *)pmgntframe->buf_addr + TXDESC_OFFSET; - pwlanhdr = (struct ieee80211_hdr *)pframe; + mgmt = (struct ieee80211_mgmt *)pframe; mac = myid(&padapter->eeprompriv); bssid = cur_network->MacAddress; - pwlanhdr->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT | - IEEE80211_STYPE_PROBE_RESP); + mgmt->frame_control = + cpu_to_le16(IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_PROBE_RESP); - ether_addr_copy(pwlanhdr->addr1, da); - ether_addr_copy(pwlanhdr->addr2, mac); - ether_addr_copy(pwlanhdr->addr3, bssid); + ether_addr_copy(mgmt->da, da); + ether_addr_copy(mgmt->sa, mac); + ether_addr_copy(mgmt->bssid, bssid); - pwlanhdr->seq_ctrl = - cpu_to_le16(IEEE80211_SN_TO_SEQ(pmlmeext->mgnt_seq)); + mgmt->seq_ctrl = cpu_to_le16(IEEE80211_SN_TO_SEQ(pmlmeext->mgnt_seq)); pmlmeext->mgnt_seq++; pattrib->hdrlen = sizeof(struct ieee80211_hdr_3addr); - pattrib->pktlen = pattrib->hdrlen; - pframe += pattrib->hdrlen; - if (cur_network->IELength > MAX_IE_SZ) - return; + /* timestamp will be inserted by hardware */ + put_unaligned_le16(cur_network->beacon_interval, + &mgmt->u.probe_resp.beacon_int); + + put_unaligned_le16(cur_network->capability, + &mgmt->u.probe_resp.capab_info); + + pframe = mgmt->u.probe_resp.variable; + pattrib->pktlen = + offsetof(struct ieee80211_mgmt, u.probe_resp.variable); + + /* below for ad-hoc mode */ #ifdef CONFIG_8723AU_AP_MODE if ((pmlmeinfo->state & 0x03) == WIFI_FW_AP_STATE) { @@ -2682,29 +2692,6 @@ static void issue_probersp(struct rtw_adapter *padapter, unsigned char *da, } else #endif { - - /* timestamp will be inserted by hardware */ - pframe += 8; - pattrib->pktlen += 8; - - /* beacon interval: 2 bytes */ - - memcpy(pframe, (unsigned char *) - rtw_get_beacon_interval23a_from_ie(cur_network->IEs), 2); - - pframe += 2; - pattrib->pktlen += 2; - - /* capability info: 2 bytes */ - - memcpy(pframe, (unsigned char *) - rtw_get_capability23a_from_ie(cur_network->IEs), 2); - - pframe += 2; - pattrib->pktlen += 2; - - /* below for ad-hoc mode */ - /* SSID */ pframe = rtw_set_ie23a(pframe, WLAN_EID_SSID, cur_network->Ssid.ssid_len,