From: Martin Kaiser Date: Sat, 26 Nov 2022 16:01:23 +0000 (+0100) Subject: staging: r8188eu: pass only ies to process_p2p_ps_ie X-Git-Tag: v6.6.17~5902^2~19 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=1ed513f3e0ff13f2a84e3479b7774f213c7d7066;p=platform%2Fkernel%2Flinux-rpi.git staging: r8188eu: pass only ies to process_p2p_ps_ie The process_p2p_ps_ie function parses the information elements of a beacon message and extracts p2p-related info. process_p2p_ps_ie does not receive a pointer to the information elements as one would expect. Instead it receives a pointer to the timestamp field in the beacon message. process_p2p_ps_ie increments this pointer by _BEACON_IE_OFFSET_ to jump to the start of the information elements (and decreases the buffer length accordingly). This is clumsy and hard to understand. Rewrite this such that process_p2p_ps_ie takes a pointer to the information elements and the total length of all elements. Check up-front that the total length is not negative. Tested-by: Philipp Hortmann # Edimax N150 Signed-off-by: Martin Kaiser Link: https://lore.kernel.org/r/20221126160129.178697-5-martin@kaiser.cx Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/r8188eu/core/rtw_mlme_ext.c b/drivers/staging/r8188eu/core/rtw_mlme_ext.c index 5a31b20..07c57a2 100644 --- a/drivers/staging/r8188eu/core/rtw_mlme_ext.c +++ b/drivers/staging/r8188eu/core/rtw_mlme_ext.c @@ -556,6 +556,13 @@ static void OnBeacon(struct adapter *padapter, struct recv_frame *precv_frame) uint len = precv_frame->len; struct wlan_bssid_ex *pbss; int ret = _SUCCESS; + u8 *ie_ptr; + u32 ie_len; + + ie_ptr = (u8 *)&mgmt->u.beacon.variable; + if (precv_frame->len < offsetof(struct ieee80211_mgmt, u.beacon.variable)) + return; + ie_len = precv_frame->len - offsetof(struct ieee80211_mgmt, u.beacon.variable); if (pmlmeext->sitesurvey_res.state == SCAN_PROCESS) { report_survey_event(padapter, precv_frame); @@ -598,7 +605,7 @@ static void OnBeacon(struct adapter *padapter, struct recv_frame *precv_frame) /* todo: the timer is used instead of the number of the beacon received */ if ((sta_rx_pkts(psta) & 0xf) == 0) update_beacon_info(padapter, pframe, len, psta); - process_p2p_ps_ie(padapter, (pframe + WLAN_HDR_A3_LEN), (len - WLAN_HDR_A3_LEN)); + process_p2p_ps_ie(padapter, ie_ptr, ie_len); } } else if ((pmlmeinfo->state & 0x03) == WIFI_FW_ADHOC_STATE) { psta = rtw_get_stainfo(pstapriv, mgmt->sa); diff --git a/drivers/staging/r8188eu/core/rtw_p2p.c b/drivers/staging/r8188eu/core/rtw_p2p.c index dc159e5..ce05458 100644 --- a/drivers/staging/r8188eu/core/rtw_p2p.c +++ b/drivers/staging/r8188eu/core/rtw_p2p.c @@ -1505,8 +1505,6 @@ void p2p_protocol_wk_hdl(struct adapter *padapter, int intCmdType) void process_p2p_ps_ie(struct adapter *padapter, u8 *IEs, u32 IELength) { - u8 *ies; - u32 ies_len; u8 *p2p_ie; u32 p2p_ielen = 0; u8 noa_attr[MAX_P2P_IE_LEN] = { 0x00 };/* NoA length should be n*(13) + 2 */ @@ -1518,13 +1516,8 @@ void process_p2p_ps_ie(struct adapter *padapter, u8 *IEs, u32 IELength) if (rtw_p2p_chk_state(pwdinfo, P2P_STATE_NONE)) return; - if (IELength <= _BEACON_IE_OFFSET_) - return; - ies = IEs + _BEACON_IE_OFFSET_; - ies_len = IELength - _BEACON_IE_OFFSET_; - - p2p_ie = rtw_get_p2p_ie(ies, ies_len, NULL, &p2p_ielen); + p2p_ie = rtw_get_p2p_ie(IEs, IELength, NULL, &p2p_ielen); while (p2p_ie) { find_p2p = true; @@ -1579,7 +1572,7 @@ void process_p2p_ps_ie(struct adapter *padapter, u8 *IEs, u32 IELength) } /* Get the next P2P IE */ - p2p_ie = rtw_get_p2p_ie(p2p_ie + p2p_ielen, ies_len - (p2p_ie - ies + p2p_ielen), NULL, &p2p_ielen); + p2p_ie = rtw_get_p2p_ie(p2p_ie + p2p_ielen, IELength - (p2p_ie - IEs + p2p_ielen), NULL, &p2p_ielen); } if (find_p2p) {