From: Al Viro Date: Wed, 19 Dec 2007 21:45:29 +0000 (-0500) Subject: airo: fix transmit_802_11_packet() X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=977b143c13e685081625704ac356b741d71c6a73;p=GitHub%2FLineageOS%2Fandroid_kernel_samsung_universal7580.git airo: fix transmit_802_11_packet() a) gaplen would better be stored little-endian b) for control packets (shorter than 24-byte header) we ended up with bap_write(ai, hdrlen == 30 ? (const u16*)&gap.gaplen : (const u16*)&gap, 38 - hdrlen, BAP1); passing to card the data past the end of gap (i.e. random stuff from stack) and did _not_ feed the gaplen at the right offset. c) sending the contents of uninitialized fields of struct is Not Nice(tm) either Signed-off-by: Al Viro Signed-off-by: John W. Linville --- diff --git a/drivers/net/wireless/airo.c b/drivers/net/wireless/airo.c index be9aa4efeca..24fa0d62efe 100644 --- a/drivers/net/wireless/airo.c +++ b/drivers/net/wireless/airo.c @@ -4365,14 +4365,10 @@ static int transmit_802_11_packet(struct airo_info *ai, int len, char *pPacket) Cmd cmd; Resp rsp; int hdrlen; - struct { - u8 addr4[ETH_ALEN]; - u16 gaplen; - u8 gap[6]; - } gap; + static u8 tail[(30-10) + 2 + 6] = {[30-10] = 6}; + /* padding of header to full size + le16 gaplen (6) + gaplen bytes */ u16 txFid = len; len >>= 16; - gap.gaplen = 6; fc = le16_to_cpu(*(const u16*)pPacket); switch (fc & 0xc) { @@ -4405,8 +4401,7 @@ static int transmit_802_11_packet(struct airo_info *ai, int len, char *pPacket) bap_write(ai, &payloadLen, sizeof(payloadLen),BAP1); if (bap_setup(ai, txFid, 0x0014, BAP1) != SUCCESS) return ERROR; bap_write(ai, (const u16*)pPacket, hdrlen, BAP1); - bap_write(ai, hdrlen == 30 ? - (const u16*)&gap.gaplen : (const u16*)&gap, 38 - hdrlen, BAP1); + bap_write(ai, (u16 *)(tail + (hdrlen - 10)), 38 - hdrlen, BAP1); bap_write(ai, (const u16*)(pPacket + hdrlen), len - hdrlen, BAP1); // issue the transmit command