Commit 977b143c authored by Al Viro's avatar Al Viro Committed by David S. Miller

airo: fix transmit_802_11_packet()

a) gaplen would better be stored little-endian
b) for control packets (shorter than 24-byte header) we ended up with
        bap_write(ai, hdrlen == 30 ?
                (const u16*)&gap.gaplen : (const u16*)&gap, 38 - hdrlen, BAP1);
passing to card the data past the end of gap (i.e. random stuff from stack)
and did _not_ feed the gaplen at the right offset.
c) sending the contents of uninitialized fields of struct is Not Nice(tm) either
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent 8524f59d
...@@ -4365,14 +4365,10 @@ static int transmit_802_11_packet(struct airo_info *ai, int len, char *pPacket) ...@@ -4365,14 +4365,10 @@ static int transmit_802_11_packet(struct airo_info *ai, int len, char *pPacket)
Cmd cmd; Cmd cmd;
Resp rsp; Resp rsp;
int hdrlen; int hdrlen;
struct { static u8 tail[(30-10) + 2 + 6] = {[30-10] = 6};
u8 addr4[ETH_ALEN]; /* padding of header to full size + le16 gaplen (6) + gaplen bytes */
u16 gaplen;
u8 gap[6];
} gap;
u16 txFid = len; u16 txFid = len;
len >>= 16; len >>= 16;
gap.gaplen = 6;
fc = le16_to_cpu(*(const u16*)pPacket); fc = le16_to_cpu(*(const u16*)pPacket);
switch (fc & 0xc) { switch (fc & 0xc) {
...@@ -4405,8 +4401,7 @@ static int transmit_802_11_packet(struct airo_info *ai, int len, char *pPacket) ...@@ -4405,8 +4401,7 @@ static int transmit_802_11_packet(struct airo_info *ai, int len, char *pPacket)
bap_write(ai, &payloadLen, sizeof(payloadLen),BAP1); bap_write(ai, &payloadLen, sizeof(payloadLen),BAP1);
if (bap_setup(ai, txFid, 0x0014, BAP1) != SUCCESS) return ERROR; if (bap_setup(ai, txFid, 0x0014, BAP1) != SUCCESS) return ERROR;
bap_write(ai, (const u16*)pPacket, hdrlen, BAP1); bap_write(ai, (const u16*)pPacket, hdrlen, BAP1);
bap_write(ai, hdrlen == 30 ? bap_write(ai, (u16 *)(tail + (hdrlen - 10)), 38 - hdrlen, BAP1);
(const u16*)&gap.gaplen : (const u16*)&gap, 38 - hdrlen, BAP1);
bap_write(ai, (const u16*)(pPacket + hdrlen), len - hdrlen, BAP1); bap_write(ai, (const u16*)(pPacket + hdrlen), len - hdrlen, BAP1);
// issue the transmit command // issue the transmit command
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment