diff options
author | Johannes Berg <johannes@sipsolutions.net> | 2008-10-30 22:09:54 +0100 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2008-11-10 15:11:56 -0500 |
commit | 2c706002fc147decdba2658ea48e4436faca3af2 (patch) | |
tree | 3e515fa59e6f7de045579f103cba09cd05293de7 /drivers/net/wireless/rndis_wlan.c | |
parent | 9b1fbae4b242cf86a878771eb59dc600dde72ec8 (diff) | |
download | lwn-2c706002fc147decdba2658ea48e4436faca3af2.tar.gz lwn-2c706002fc147decdba2658ea48e4436faca3af2.zip |
don't use net/ieee80211.h
Convert all the drivers using net/ieee80211.h to use linux/ieee80211.h.
Contains a bugfix in libertas where the SSID parsing could overrun the
buffer when the AP sends invalid information.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Acked-by: Dan Williams <dcbw@redhat.com> [airo, libertas]
Acked-by: Pavel Roskin <proski@gnu.org> [orinoco]
Acked-by: David Kilroy <kilroyd@googlemail.com> [orinoco]
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers/net/wireless/rndis_wlan.c')
-rw-r--r-- | drivers/net/wireless/rndis_wlan.c | 24 |
1 files changed, 12 insertions, 12 deletions
diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c index bd059e3c7e2b..a1eeb48f9466 100644 --- a/drivers/net/wireless/rndis_wlan.c +++ b/drivers/net/wireless/rndis_wlan.c @@ -37,11 +37,11 @@ #include <linux/usb.h> #include <linux/usb/cdc.h> #include <linux/wireless.h> +#include <linux/ieee80211.h> #include <linux/if_arp.h> #include <linux/ctype.h> #include <linux/spinlock.h> #include <net/iw_handler.h> -#include <net/ieee80211.h> #include <linux/usb/usbnet.h> #include <linux/usb/rndis_host.h> @@ -1652,7 +1652,7 @@ static char *rndis_translate_scan(struct net_device *dev, #ifdef DEBUG struct usbnet *usbdev = dev->priv; #endif - struct ieee80211_info_element *ie; + u8 *ie; char *current_val; int bssid_len, ie_len, i; u32 beacon, atim; @@ -1750,20 +1750,20 @@ static char *rndis_translate_scan(struct net_device *dev, ie_len = min(bssid_len - (int)sizeof(*bssid), (int)le32_to_cpu(bssid->ie_length)); ie_len -= sizeof(struct ndis_80211_fixed_ies); - while (ie_len >= sizeof(*ie) && sizeof(*ie) + ie->len <= ie_len) { - if ((ie->id == MFIE_TYPE_GENERIC && ie->len >= 4 && - memcmp(ie->data, "\x00\x50\xf2\x01", 4) == 0) || - ie->id == MFIE_TYPE_RSN) { + while (ie_len >= 2 && 2 + ie[1] <= ie_len) { + if ((ie[0] == WLAN_EID_GENERIC && ie[1] >= 4 && + memcmp(ie + 2, "\x00\x50\xf2\x01", 4) == 0) || + ie[0] == WLAN_EID_RSN) { devdbg(usbdev, "IE: WPA%d", - (ie->id == MFIE_TYPE_RSN) ? 2 : 1); + (ie[0] == WLAN_EID_RSN) ? 2 : 1); iwe.cmd = IWEVGENIE; - iwe.u.data.length = min(ie->len + 2, MAX_WPA_IE_LEN); - cev = iwe_stream_add_point(info, cev, end_buf, &iwe, - (u8 *)ie); + /* arbitrary cut-off at 64 */ + iwe.u.data.length = min(ie[1] + 2, 64); + cev = iwe_stream_add_point(info, cev, end_buf, &iwe, ie); } - ie_len -= sizeof(*ie) + ie->len; - ie = (struct ieee80211_info_element *)&ie->data[ie->len]; + ie_len -= 2 + ie[1]; + ie += 2 + ie[1]; } return cev; |