On Thu, Oct 17, 2013 at 10:44 AM, Johannes Berg
<johannes@xxxxxxxxxxxxxxxx> wrote:
> From: Johannes Berg <johannes.berg@xxxxxxxxx>
>
> Some APs (notably a Sitecom WL-153 v1 with firmware 1.45) are sending
> invalid WMM parameters setting AIFSN, ECWmin and ECWmax to zero. The
> spec mandates that the value of AIFSN is at least 2, and some cards
> (e.g. Intel with the iwldvm driver) can't transmit when the invalid
> QoS parameters are actually uploaded to the firmware.
>
> Since there's little chance of being able to guess the values that
> the AP actually meant, disable WMM if such an invalid case is found.
> Since ECWmin/ECWmax are allowed to be zero, only verify AIFSN >= 2
> and ECWmin <= ECWmax.
>
> Reported-by: Antonio Quartulli <antonio@xxxxxxxxxxxxxx>
> Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
> ---
[...]
> @@ -4192,9 +4231,36 @@ int ieee80211_mgd_assoc(struct ieee80211_sub_if_data *sdata,
> }
>
> /* prepare assoc data */
> -
> +
> ifmgd->beacon_crc_valid = false;
>
> + assoc_data->wmm = bss->wmm_used &&
> + (local->hw.queues >= IEEE80211_NUM_ACS);
> + if (assoc_data->wmm) {
> + /* try to check validity of WMM params IE */
> + const struct cfg80211_bss_ies *ies;
> + const u8 *wp, *start;
> + int len;
> +
> + rcu_read_lock();
> + ies = rcu_dereference(req->bss->ies);
> + start = ies->data;
> + len = ies->len;
> +
> + do {
> + wp = cfg80211_find_vendor_ie(0x0050F2, 2, start, len);
> + start = wp;
> + len -= wp[1];
you might NULL deref here.
but i don't really see how this calculation makes sense anyway (you
should probably increase start and take care of the ie's id+len (i.e.
wp[1] + 2) as well)?
Eliad.
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
