summaryrefslogtreecommitdiff
path: root/drivers/net/wireless/rndis_wlan.c
diff options
context:
space:
mode:
authorJohannes Berg <johannes@sipsolutions.net>2008-10-30 22:09:54 +0100
committerJohn W. Linville <linville@tuxdriver.com>2008-11-10 15:11:56 -0500
commit2c706002fc147decdba2658ea48e4436faca3af2 (patch)
tree3e515fa59e6f7de045579f103cba09cd05293de7 /drivers/net/wireless/rndis_wlan.c
parent9b1fbae4b242cf86a878771eb59dc600dde72ec8 (diff)
downloadlwn-2c706002fc147decdba2658ea48e4436faca3af2.tar.gz
lwn-2c706002fc147decdba2658ea48e4436faca3af2.zip
don't use net/ieee80211.h
Convert all the drivers using net/ieee80211.h to use linux/ieee80211.h. Contains a bugfix in libertas where the SSID parsing could overrun the buffer when the AP sends invalid information. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Acked-by: Dan Williams <dcbw@redhat.com> [airo, libertas] Acked-by: Pavel Roskin <proski@gnu.org> [orinoco] Acked-by: David Kilroy <kilroyd@googlemail.com> [orinoco] Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers/net/wireless/rndis_wlan.c')
-rw-r--r--drivers/net/wireless/rndis_wlan.c24
1 files changed, 12 insertions, 12 deletions
diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c
index bd059e3c7e2b..a1eeb48f9466 100644
--- a/drivers/net/wireless/rndis_wlan.c
+++ b/drivers/net/wireless/rndis_wlan.c
@@ -37,11 +37,11 @@
#include <linux/usb.h>
#include <linux/usb/cdc.h>
#include <linux/wireless.h>
+#include <linux/ieee80211.h>
#include <linux/if_arp.h>
#include <linux/ctype.h>
#include <linux/spinlock.h>
#include <net/iw_handler.h>
-#include <net/ieee80211.h>
#include <linux/usb/usbnet.h>
#include <linux/usb/rndis_host.h>
@@ -1652,7 +1652,7 @@ static char *rndis_translate_scan(struct net_device *dev,
#ifdef DEBUG
struct usbnet *usbdev = dev->priv;
#endif
- struct ieee80211_info_element *ie;
+ u8 *ie;
char *current_val;
int bssid_len, ie_len, i;
u32 beacon, atim;
@@ -1750,20 +1750,20 @@ static char *rndis_translate_scan(struct net_device *dev,
ie_len = min(bssid_len - (int)sizeof(*bssid),
(int)le32_to_cpu(bssid->ie_length));
ie_len -= sizeof(struct ndis_80211_fixed_ies);
- while (ie_len >= sizeof(*ie) && sizeof(*ie) + ie->len <= ie_len) {
- if ((ie->id == MFIE_TYPE_GENERIC && ie->len >= 4 &&
- memcmp(ie->data, "\x00\x50\xf2\x01", 4) == 0) ||
- ie->id == MFIE_TYPE_RSN) {
+ while (ie_len >= 2 && 2 + ie[1] <= ie_len) {
+ if ((ie[0] == WLAN_EID_GENERIC && ie[1] >= 4 &&
+ memcmp(ie + 2, "\x00\x50\xf2\x01", 4) == 0) ||
+ ie[0] == WLAN_EID_RSN) {
devdbg(usbdev, "IE: WPA%d",
- (ie->id == MFIE_TYPE_RSN) ? 2 : 1);
+ (ie[0] == WLAN_EID_RSN) ? 2 : 1);
iwe.cmd = IWEVGENIE;
- iwe.u.data.length = min(ie->len + 2, MAX_WPA_IE_LEN);
- cev = iwe_stream_add_point(info, cev, end_buf, &iwe,
- (u8 *)ie);
+ /* arbitrary cut-off at 64 */
+ iwe.u.data.length = min(ie[1] + 2, 64);
+ cev = iwe_stream_add_point(info, cev, end_buf, &iwe, ie);
}
- ie_len -= sizeof(*ie) + ie->len;
- ie = (struct ieee80211_info_element *)&ie->data[ie->len];
+ ie_len -= 2 + ie[1];
+ ie += 2 + ie[1];
}
return cev;