| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 26 Nov 2022 17:01:23 +0100
From: Martin Kaiser <martin@...ser.cx>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: Larry Finger <Larry.Finger@...inger.net>,
Phillip Potter <phil@...lpotter.co.uk>,
Michael Straube <straube.linux@...il.com>,
Pavel Skripkin <paskripkin@...il.com>,
linux-staging@...ts.linux.dev, linux-kernel@...r.kernel.org,
Martin Kaiser <martin@...ser.cx>
Subject: [PATCH 04/10] staging: r8188eu: pass only ies to process_p2p_ps_ie
The process_p2p_ps_ie function parses the information elements of a beacon
message and extracts p2p-related info.
process_p2p_ps_ie does not receive a pointer to the information elements
as one would expect. Instead it receives a pointer to the timestamp field
in the beacon message. process_p2p_ps_ie increments this pointer by
_BEACON_IE_OFFSET_ to jump to the start of the information elements (and
decreases the buffer length accordingly).
This is clumsy and hard to understand. Rewrite this such that
process_p2p_ps_ie takes a pointer to the information elements and the
total length of all elements. Check up-front that the total length is
not negative.
Signed-off-by: Martin Kaiser <martin@...ser.cx>
---
drivers/staging/r8188eu/core/rtw_mlme_ext.c | 9 ++++++++-
drivers/staging/r8188eu/core/rtw_p2p.c | 11 ++---------
2 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/drivers/staging/r8188eu/core/rtw_mlme_ext.c b/drivers/staging/r8188eu/core/rtw_mlme_ext.c
index 5a31b20dc46d..07c57a2b61b9 100644
--- a/drivers/staging/r8188eu/core/rtw_mlme_ext.c
+++ b/drivers/staging/r8188eu/core/rtw_mlme_ext.c
@@ -556,6 +556,13 @@ static void OnBeacon(struct adapter *padapter, struct recv_frame *precv_frame)
uint len = precv_frame->len;
struct wlan_bssid_ex *pbss;
int ret = _SUCCESS;
+ u8 *ie_ptr;
+ u32 ie_len;
+
+ ie_ptr = (u8 *)&mgmt->u.beacon.variable;
+ if (precv_frame->len < offsetof(struct ieee80211_mgmt, u.beacon.variable))
+ return;
+ ie_len = precv_frame->len - offsetof(struct ieee80211_mgmt, u.beacon.variable);
if (pmlmeext->sitesurvey_res.state == SCAN_PROCESS) {
report_survey_event(padapter, precv_frame);
@@ -598,7 +605,7 @@ static void OnBeacon(struct adapter *padapter, struct recv_frame *precv_frame)
/* todo: the timer is used instead of the number of the beacon received */
if ((sta_rx_pkts(psta) & 0xf) == 0)
update_beacon_info(padapter, pframe, len, psta);
- process_p2p_ps_ie(padapter, (pframe + WLAN_HDR_A3_LEN), (len - WLAN_HDR_A3_LEN));
+ process_p2p_ps_ie(padapter, ie_ptr, ie_len);
}
} else if ((pmlmeinfo->state & 0x03) == WIFI_FW_ADHOC_STATE) {
psta = rtw_get_stainfo(pstapriv, mgmt->sa);
diff --git a/drivers/staging/r8188eu/core/rtw_p2p.c b/drivers/staging/r8188eu/core/rtw_p2p.c
index dc159e58f428..ce05458bd1ad 100644
--- a/drivers/staging/r8188eu/core/rtw_p2p.c
+++ b/drivers/staging/r8188eu/core/rtw_p2p.c
@@ -1505,8 +1505,6 @@ void p2p_protocol_wk_hdl(struct adapter *padapter, int intCmdType)
void process_p2p_ps_ie(struct adapter *padapter, u8 *IEs, u32 IELength)
{
- u8 *ies;
- u32 ies_len;
u8 *p2p_ie;
u32 p2p_ielen = 0;
u8 noa_attr[MAX_P2P_IE_LEN] = { 0x00 };/* NoA length should be n*(13) + 2 */
@@ -1518,13 +1516,8 @@ void process_p2p_ps_ie(struct adapter *padapter, u8 *IEs, u32 IELength)
if (rtw_p2p_chk_state(pwdinfo, P2P_STATE_NONE))
return;
- if (IELength <= _BEACON_IE_OFFSET_)
- return;
- ies = IEs + _BEACON_IE_OFFSET_;
- ies_len = IELength - _BEACON_IE_OFFSET_;
-
- p2p_ie = rtw_get_p2p_ie(ies, ies_len, NULL, &p2p_ielen);
+ p2p_ie = rtw_get_p2p_ie(IEs, IELength, NULL, &p2p_ielen);
while (p2p_ie) {
find_p2p = true;
@@ -1579,7 +1572,7 @@ void process_p2p_ps_ie(struct adapter *padapter, u8 *IEs, u32 IELength)
}
/* Get the next P2P IE */
- p2p_ie = rtw_get_p2p_ie(p2p_ie + p2p_ielen, ies_len - (p2p_ie - ies + p2p_ielen), NULL, &p2p_ielen);
+ p2p_ie = rtw_get_p2p_ie(p2p_ie + p2p_ielen, IELength - (p2p_ie - IEs + p2p_ielen), NULL, &p2p_ielen);
}
if (find_p2p) {
--
2.30.2
Powered by blists - more mailing lists