Commit d4b4aaba515a ("staging: wilc1000: fix line over 80 characters in
host_int_parse_join_bss_param()") introduced a bug by not keeping the
rates_no value while parsing ies elements.
It also increments auth_total_cnt as a pointer instead of its reference.
This commit fixes the bug by passing reference to rates_no to
host_int_parse_join_bss_param() and by incrementing reference of
auth_total_cnt
Fixes: d4b4aaba515a (staging: wilc1000: fix line over 80 characters in host_int_parse_join_bss_param())
Signed-off-by: Adham Abozaeid <adham.abozaeid@xxxxxxxxxxxxx>
---
drivers/staging/wilc1000/host_interface.c | 24 +++++++++++++-----------
1 file changed, 13 insertions(+), 11 deletions(-)
diff --git a/drivers/staging/wilc1000/host_interface.c b/drivers/staging/wilc1000/host_interface.c
index a2f82c8..bf7dd18d 100644
--- a/drivers/staging/wilc1000/host_interface.c
+++ b/drivers/staging/wilc1000/host_interface.c
@@ -3813,9 +3813,9 @@ int wilc_setup_multicast_filter(struct wilc_vif *vif, bool enabled,
static void host_int_fill_join_bss_param(struct join_bss_param *param, u8 *ies,
u16 *out_index, u8 *pcipher_tc,
- u8 *auth_total_cnt, u32 tsf_lo)
+ u8 *auth_total_cnt, u32 tsf_lo,
+ u8 *rates_no)
{
- u8 rates_no = 0;
u8 ext_rates_no;
u16 offset;
u8 pcipher_cnt;
@@ -3824,23 +3824,23 @@ static void host_int_fill_join_bss_param(struct join_bss_param *param, u8 *ies,
u16 index = *out_index;
if (ies[index] == SUPP_RATES_IE) {
- rates_no = ies[index + 1];
- param->supp_rates[0] = rates_no;
+ *rates_no = ies[index + 1];
+ param->supp_rates[0] = *rates_no;
index += 2;
- for (i = 0; i < rates_no; i++)
+ for (i = 0; i < *rates_no; i++)
param->supp_rates[i + 1] = ies[index + i];
- index += rates_no;
+ index += *rates_no;
} else if (ies[index] == EXT_SUPP_RATES_IE) {
ext_rates_no = ies[index + 1];
- if (ext_rates_no > (MAX_RATES_SUPPORTED - rates_no))
+ if (ext_rates_no > (MAX_RATES_SUPPORTED - *rates_no))
param->supp_rates[0] = MAX_RATES_SUPPORTED;
else
param->supp_rates[0] += ext_rates_no;
index += 2;
- for (i = 0; i < (param->supp_rates[0] - rates_no); i++)
- param->supp_rates[rates_no + i + 1] = ies[index + i];
+ for (i = 0; i < (param->supp_rates[0] - *rates_no); i++)
+ param->supp_rates[*rates_no + i + 1] = ies[index + i];
index += ext_rates_no;
} else if (ies[index] == HT_CAPABILITY_IE) {
@@ -3929,7 +3929,7 @@ static void host_int_fill_join_bss_param(struct join_bss_param *param, u8 *ies,
*policy = ies[rsn_idx + ((j + 1) * 4) - 1];
}
- auth_total_cnt += auth_cnt;
+ *auth_total_cnt += auth_cnt;
rsn_idx += offset;
if (ies[index] == RSN_IE) {
@@ -3950,6 +3950,7 @@ static void *host_int_parse_join_bss_param(struct network_info *info)
{
struct join_bss_param *param = NULL;
u16 index = 0;
+ u8 rates_no = 0;
u8 pcipher_total_cnt = 0;
u8 auth_total_cnt = 0;
@@ -3969,7 +3970,8 @@ static void *host_int_parse_join_bss_param(struct network_info *info)
while (index < info->ies_len)
host_int_fill_join_bss_param(param, info->ies, &index,
&pcipher_total_cnt,
- &auth_total_cnt, info->tsf_lo);
+ &auth_total_cnt, info->tsf_lo,
+ &rates_no);
return (void *)param;
}
--
2.7.4
