linux/net/wireless, branch v3.0-rc5Linux kernel source treehttps://git.amat.us/linux/atom/net/wireless?h=v3.0-rc52011-06-07T18:19:07Znl80211: fix overflow in ssid_len2011-06-07T18:19:07ZLuciano Coelhocoelho@ti.com2011-06-07T17:42:26Zurn:sha1:57a27e1d6a3bb9ad4efeebd3a8c71156d6207536
When one of the SSID's length passed in a scan or sched_scan request
is larger than 255, there will be an overflow in the u8 that is used
to store the length before checking. This causes the check to fail
and we overrun the buffer when copying the SSID.
Fix this by checking the nl80211 attribute length before copying it to
the struct.
This is a follow up for the previous commit
208c72f4fe44fe09577e7975ba0e7fa0278f3d03, which didn't fix the problem
entirely.
Reported-by: Ido Yariv <ido@wizery.com>
Signed-off-by: Luciano Coelho <coelho@ti.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
cfg80211: don't drop p2p probe responses2011-06-01T18:34:01ZEliad Pellereliad@wizery.com2011-05-29T12:53:20Zurn:sha1:333ba7325213f0a09dfa5ceeddb056d6ad74b3b5
Commit 0a35d36 ("cfg80211: Use capability info to detect mesh beacons")
assumed that probe response with both ESS and IBSS bits cleared
means that the frame was sent by a mesh sta.
However, these capabilities are also being used in the p2p_find phase,
and the mesh-validation broke it.
Rename the WLAN_CAPABILITY_IS_MBSS macro, and verify that mesh ies
exist before assuming this frame was sent by a mesh sta.
Signed-off-by: Eliad Peller <eliad@wizery.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Merge git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next-2.6 into for-davem2011-05-27T19:18:35ZJohn W. Linvillelinville@tuxdriver.com2011-05-27T19:18:35Zurn:sha1:11ad2f52826ac6d58d6780d3d8a3e098c88d9142nl80211: fix check for valid SSID size in scan operations2011-05-26T19:43:28ZLuciano Coelhocoelho@ti.com2011-05-18T21:43:38Zurn:sha1:208c72f4fe44fe09577e7975ba0e7fa0278f3d03
In both trigger_scan and sched_scan operations, we were checking for
the SSID length before assigning the value correctly. Since the
memory was just kzalloc'ed, the check was always failing and SSID with
over 32 characters were allowed to go through.
This was causing a buffer overflow when copying the actual SSID to the
proper place.
This bug has been there since 2.6.29-rc4.
Cc: stable@kernel.org
Signed-off-by: Luciano Coelho <coelho@ti.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Merge ssh://master.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next-2.6 into for-davem2011-05-24T20:47:54ZJohn W. Linvillelinville@tuxdriver.com2011-05-24T20:47:54Zurn:sha1:31ec97d9cebac804814de298592648f7c18d8281nl80211: remove some stack variables in trigger_scan and start_sched_scan2011-05-19T17:54:17ZLuciano Coelhocoelho@ti.com2011-05-18T08:42:03Zurn:sha1:a2cd43c52aa5c676b03d575177536e05ac672c75
Some stack variables (name *ssid and *channel) are only used to define
the size of the memory block that needs to be allocated for the
request structure in the nl80211_trigger_scan() and
nl80211_start_sched_scan() functions.
This is unnecessary because the sizes of the actual elements in the
structure can be used instead.
Signed-off-by: Luciano Coelho <coelho@ti.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
cfg80211: Use consistent BSS matching between scan and sme2011-05-19T14:37:18ZJouni Malinenjouni.malinen@atheros.com2011-05-16T16:40:15Zurn:sha1:ed9d01026f156db2d638cbb045231c7a8fde877d
cfg80211 scan code adds separate BSS entries if the same BSS shows up
on multiple channels. However, sme implementation does not use the
frequency when fetching the BSS entry. Fix this by adding channel
information to cfg80211_roamed() and include it in cfg80211_get_bss()
calls.
Please note that drivers using cfg80211_roamed() need to be modified to
fully implement this fix. This commit includes only minimal changes to
avoid compilation issues; it maintains the old (broken) behavior for
most drivers. ath6kl was the only one that I could test, so I updated
it to provide the operating frequency in the roamed event.
Signed-off-by: Jouni Malinen <jouni.malinen@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next-2.6 into for-davem2011-05-16T23:32:19ZJohn W. Linvillelinville@tuxdriver.com2011-05-16T18:55:42Zurn:sha1:e00cf3b9eb7839b952e434a75bff6b99e47337ac
Conflicts:
drivers/net/wireless/iwlwifi/iwl-agn-tx.c
net/mac80211/sta_info.h
cfg80211: make stripping of 802.11 header optional from AMSDU2011-05-16T18:10:50ZYogesh Ashok Powaryogeshp@marvell.com2011-05-13T18:22:31Zurn:sha1:8b3becadc82de3b87a5c196239db3fef6caa9c82
Currently the devices that have already stripped IEEE 802.11
header from the AMSDU SKB can not use ieee80211_amsdu_to_8023s
routine. This patch enhances ieee80211_amsdu_to_8023s() API by
changing mandatory removing of IEEE 802.11 header from AMSDU
to optional.
Signed-off-by: Yogesh Ashok Powar <yogeshp@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
nl80211: Move peer link state definition to nl802112011-05-16T18:10:49ZJavier Cardonajavier@cozybit.com2011-05-13T17:45:43Zurn:sha1:57cf8043a64b56a10b9f194572548a3dfb62e596
These definitions need to be exposed now that we can set the peer link
states via NL80211_ATTR_STA_PLINK_STATE. They were already being
(opaquely) reported by NL80211_STA_INFO_PLINK_STATE.
Signed-off-by: Javier Cardona <javier@cozybit.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>