From ee5b1aadfd5cda257337a9b9777114a10c18c31e Mon Sep 17 00:00:00 2001 From: Ali Bahar Date: Sun, 4 Sep 2011 03:14:21 +0800 Subject: staging: r8712u: Merging Realtek's latest (v2.6.6). Various fixes. In r8712_generate_ie(), HT check is no longer done. Removed r8712_add_ht_addt_info(). Changes to defragmentation handling, and queue selection. Get TSSI command. Added an Ad-Hoc check to is_desired_network() r8712_ind_disconnect() now checks for Linked state. r8712_xmit_bh() now schedules an xmit tasklet. Signed-off-by: Ali Bahar Signed-off-by: Larry Finger Signed-off-by: Greg Kroah-Hartman --- drivers/staging/rtl8712/rtl871x_mlme.c | 58 ++++++++++------------------------ 1 file changed, 16 insertions(+), 42 deletions(-) (limited to 'drivers/staging/rtl8712/rtl871x_mlme.c') diff --git a/drivers/staging/rtl8712/rtl871x_mlme.c b/drivers/staging/rtl8712/rtl871x_mlme.c index 866554d..c475b96 100644 --- a/drivers/staging/rtl8712/rtl871x_mlme.c +++ b/drivers/staging/rtl8712/rtl871x_mlme.c @@ -52,6 +52,8 @@ static sint _init_mlme_priv(struct _adapter *padapter) pmlmepriv->fw_state = 0; pmlmepriv->cur_network.network.InfrastructureMode = Ndis802_11AutoUnknown; + /* Maybe someday we should rename this variable to "active_mode"(Jeff)*/ + pmlmepriv->passive_mode = 1; /* 1: active, 0: passive. */ spin_lock_init(&(pmlmepriv->lock)); spin_lock_init(&(pmlmepriv->lock2)); _init_queue(&(pmlmepriv->free_bss_pool)); @@ -485,6 +487,12 @@ static int is_desired_network(struct _adapter *adapter, if ((psecuritypriv->PrivacyAlgrthm != _NO_PRIVACY_) && (pnetwork->network.Privacy == 0)) bselected = false; + if (check_fwstate(&adapter->mlmepriv, WIFI_ADHOC_STATE) == true) { + if (pnetwork->network.InfrastructureMode != + adapter->mlmepriv.cur_network.network. + InfrastructureMode) + bselected = false; + } return bselected; } @@ -683,9 +691,11 @@ void r8712_ind_disconnect(struct _adapter *padapter) { struct mlme_priv *pmlmepriv = &padapter->mlmepriv; - _clr_fwstate_(pmlmepriv, _FW_LINKED); - padapter->ledpriv.LedControlHandler(padapter, LED_CTL_NO_LINK); - r8712_os_indicate_disconnect(padapter); + if (check_fwstate(pmlmepriv, _FW_LINKED) == true) { + _clr_fwstate_(pmlmepriv, _FW_LINKED); + padapter->ledpriv.LedControlHandler(padapter, LED_CTL_NO_LINK); + r8712_os_indicate_disconnect(padapter); + } if (padapter->pwrctrlpriv.pwr_mode != padapter->registrypriv.power_mgnt) { _cancel_timer_ex(&pmlmepriv->dhcp_timer); @@ -718,9 +728,9 @@ void r8712_joinbss_event_callback(struct _adapter *adapter, u8 *pbuf) if (sizeof(struct list_head) == 4 * sizeof(u32)) { pnetwork = (struct wlan_network *) - _malloc(sizeof(struct wlan_network)); + _malloc(sizeof(struct wlan_network)); memcpy((u8 *)pnetwork+16, (u8 *)pbuf + 8, - sizeof(struct wlan_network) - 16); + sizeof(struct wlan_network) - 16); } else pnetwork = (struct wlan_network *)pbuf; @@ -1657,7 +1667,7 @@ void r8712_update_registrypriv_dev_network(struct _adapter *adapter) /* 1. Supported rates * 2. IE */ - sz = r8712_generate_ie(pregistrypriv, adapter); + sz = r8712_generate_ie(pregistrypriv); pdev_network->IELength = sz; pdev_network->Length = r8712_get_ndis_wlan_bssid_ex_sz( (struct ndis_wlan_bssid_ex *)pdev_network); @@ -1802,39 +1812,3 @@ void r8712_issue_addbareq_cmd(struct _adapter *padapter, int priority) } } } - -/*the function is >= passive_level*/ -unsigned int r8712_add_ht_addt_info(struct _adapter *padapter, - u8 *in_ie, u8 *out_ie, - uint in_len, uint *pout_len) -{ - u32 ielen, out_len = 0; - unsigned char *p, *pframe; - struct ieee80211_ht_addt_info ht_addt_info; - struct mlme_priv *pmlmepriv = &padapter->mlmepriv; - struct ht_priv *phtpriv = &pmlmepriv->htpriv; - struct registry_priv *pregistrypriv = &padapter->registrypriv; - out_len = *pout_len; - - if (pregistrypriv->ht_enable == 1) { - p = r8712_get_ie(in_ie+12, _HT_ADD_INFO_IE_, - &ielen, in_len - 12); - if (p && (ielen > 0)) { - ; /* dummy branch */ - } else { - if (p == NULL) { - int sz = sizeof(struct ieee80211_ht_addt_info); - memset(&ht_addt_info, 0, sz); - /*need to add the HT additional IEs*/ - ht_addt_info.control_chan = - pregistrypriv->channel; - pframe = r8712_set_ie(out_ie + out_len, - _HT_ADD_INFO_IE_, - sz, - (unsigned char *)&ht_addt_info, - pout_len); - } - } - } - return phtpriv->ht_option; -} -- cgit v1.1 From 447ff8865209e48e231de804c47eb4677f2318be Mon Sep 17 00:00:00 2001 From: Larry Finger Date: Sat, 8 Oct 2011 14:01:06 -0500 Subject: staging: r8712u: Fix possible out-of-bounds index with TKIP and AES keys Array XGrpKey has only 2 elements and uses (keyid - 1) as the index, which allows the possibility of memory corruption from an out-of-bounds index. This problem was reported by a new version of smatch. Reported-by: Dan Carpenter Signed-off-by: Larry Finger Signed-off-by: Greg Kroah-Hartman --- drivers/staging/rtl8712/rtl871x_mlme.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'drivers/staging/rtl8712/rtl871x_mlme.c') diff --git a/drivers/staging/rtl8712/rtl871x_mlme.c b/drivers/staging/rtl8712/rtl871x_mlme.c index c475b96..ef8eb6c 100644 --- a/drivers/staging/rtl8712/rtl871x_mlme.c +++ b/drivers/staging/rtl8712/rtl871x_mlme.c @@ -1281,12 +1281,16 @@ sint r8712_set_key(struct _adapter *adapter, psecuritypriv->DefKey[keyid].skey, keylen); break; case _TKIP_: + if (keyid < 1 || keyid > 2) + return _FAIL; keylen = 16; memcpy(psetkeyparm->key, &psecuritypriv->XGrpKey[keyid - 1], keylen); psetkeyparm->grpkey = 1; break; case _AES_: + if (keyid < 1 || keyid > 2) + return _FAIL; keylen = 16; memcpy(psetkeyparm->key, &psecuritypriv->XGrpKey[keyid - 1], keylen); -- cgit v1.1