The patch titled
bcm43xx: Fix array overrun in bcm43xx_geo_init
has been added to the -mm tree. Its filename is
bcm43xx-fix-array-overrun-in-bcm43xx_geo_init.patch
See http://www.zip.com.au/~akpm/linux/patches/stuff/added-to-mm.txt to find
out what to do about this
From: Michael Buesch <mb@xxxxxxxxx>
The problem here is that the bcm34xx driver and the ieee80211 stack do not
agree on what channels are possible for 802.11a. The ieee80211 stack only
wants channels between 34 and 165, while the bcm43xx driver accepts
anything from 0 to 200. I made the bcm43xx driver comply with the
ieee80211 stack expectations, by using the proper constants.
Signed-off-by: Jean Delvare <jdelvare@xxxxxxx>
Signed-off-by: Michael Buesch <mb@xxxxxxxxx>
Cc: "John W. Linville" <linville@xxxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxx>
---
drivers/net/wireless/bcm43xx/bcm43xx_main.c | 43 ++++++++++--------
drivers/net/wireless/bcm43xx/bcm43xx_main.h | 6 +-
2 files changed, 30 insertions(+), 19 deletions(-)
diff -puN drivers/net/wireless/bcm43xx/bcm43xx_main.c~bcm43xx-fix-array-overrun-in-bcm43xx_geo_init drivers/net/wireless/bcm43xx/bcm43xx_main.c
--- devel/drivers/net/wireless/bcm43xx/bcm43xx_main.c~bcm43xx-fix-array-overrun-in-bcm43xx_geo_init 2006-05-10 20:37:32.000000000 -0700
+++ devel-akpm/drivers/net/wireless/bcm43xx/bcm43xx_main.c 2006-05-10 20:37:32.000000000 -0700
@@ -941,9 +941,9 @@ static int bcm43xx_sprom_extract(struct
return 0;
}
-static void bcm43xx_geo_init(struct bcm43xx_private *bcm)
+static int bcm43xx_geo_init(struct bcm43xx_private *bcm)
{
- struct ieee80211_geo geo;
+ struct ieee80211_geo *geo;
struct ieee80211_channel *chan;
int have_a = 0, have_bg = 0;
int i;
@@ -951,7 +951,10 @@ static void bcm43xx_geo_init(struct bcm4
struct bcm43xx_phyinfo *phy;
const char *iso_country;
- memset(&geo, 0, sizeof(geo));
+ geo = kzalloc(sizeof(*geo), GFP_KERNEL);
+ if (!geo)
+ return -ENOMEM;
+
for (i = 0; i < bcm->nr_80211_available; i++) {
phy = &(bcm->core_80211_ext[i].phy);
switch (phy->type) {
@@ -969,31 +972,36 @@ static void bcm43xx_geo_init(struct bcm4
iso_country = bcm43xx_locale_iso(bcm->sprom.locale);
if (have_a) {
- for (i = 0, channel = 0; channel < 201; channel++) {
- chan = &geo.a[i++];
+ for (i = 0, channel = IEEE80211_52GHZ_MIN_CHANNEL;
+ channel <= IEEE80211_52GHZ_MAX_CHANNEL; channel++) {
+ chan = &geo->a[i++];
chan->freq = bcm43xx_channel_to_freq_a(channel);
chan->channel = channel;
}
- geo.a_channels = i;
+ geo->a_channels = i;
}
if (have_bg) {
- for (i = 0, channel = 1; channel < 15; channel++) {
- chan = &geo.bg[i++];
+ for (i = 0, channel = IEEE80211_24GHZ_MIN_CHANNEL;
+ channel <= IEEE80211_24GHZ_MAX_CHANNEL; channel++) {
+ chan = &geo->bg[i++];
chan->freq = bcm43xx_channel_to_freq_bg(channel);
chan->channel = channel;
}
- geo.bg_channels = i;
+ geo->bg_channels = i;
}
- memcpy(geo.name, iso_country, 2);
+ memcpy(geo->name, iso_country, 2);
if (0 /*TODO: Outdoor use only */)
- geo.name[2] = 'O';
+ geo->name[2] = 'O';
else if (0 /*TODO: Indoor use only */)
- geo.name[2] = 'I';
+ geo->name[2] = 'I';
else
- geo.name[2] = ' ';
- geo.name[3] = '\0';
+ geo->name[2] = ' ';
+ geo->name[3] = '\0';
+
+ ieee80211_set_geo(bcm->ieee, geo);
+ kfree(geo);
- ieee80211_set_geo(bcm->ieee, &geo);
+ return 0;
}
/* DummyTransmission function, as documented on
@@ -3466,6 +3474,9 @@ static int bcm43xx_attach_board(struct b
goto err_80211_unwind;
bcm43xx_wireless_core_disable(bcm);
}
+ err = bcm43xx_geo_init(bcm);
+ if (err)
+ goto err_80211_unwind;
bcm43xx_pctl_set_crystal(bcm, 0);
/* Set the MAC address in the networking subsystem */
@@ -3474,8 +3485,6 @@ static int bcm43xx_attach_board(struct b
else
memcpy(bcm->net_dev->dev_addr, bcm->sprom.il0macaddr, 6);
- bcm43xx_geo_init(bcm);
-
snprintf(bcm->nick, IW_ESSID_MAX_SIZE,
"Broadcom %04X", bcm->chip_id);
diff -puN drivers/net/wireless/bcm43xx/bcm43xx_main.h~bcm43xx-fix-array-overrun-in-bcm43xx_geo_init drivers/net/wireless/bcm43xx/bcm43xx_main.h
--- devel/drivers/net/wireless/bcm43xx/bcm43xx_main.h~bcm43xx-fix-array-overrun-in-bcm43xx_geo_init 2006-05-10 20:37:32.000000000 -0700
+++ devel-akpm/drivers/net/wireless/bcm43xx/bcm43xx_main.h 2006-05-10 20:37:32.000000000 -0700
@@ -118,12 +118,14 @@ int bcm43xx_channel_to_freq(struct bcm43
static inline
int bcm43xx_is_valid_channel_a(u8 channel)
{
- return (channel <= 200);
+ return (channel >= IEEE80211_52GHZ_MIN_CHANNEL
+ && channel <= IEEE80211_52GHZ_MAX_CHANNEL);
}
static inline
int bcm43xx_is_valid_channel_bg(u8 channel)
{
- return (channel >= 1 && channel <= 14);
+ return (channel >= IEEE80211_24GHZ_MIN_CHANNEL
+ && channel <= IEEE80211_24GHZ_MAX_CHANNEL);
}
static inline
int bcm43xx_is_valid_channel(struct bcm43xx_private *bcm,
_
Patches currently in -mm which might be from mb@xxxxxxxxx are
bcm43xx-fix-iwmode-crash-when-down.patch
git-netdev-all.patch
bcm43xx-check-for-valid-mac-address-in-sprom.patch
bcm43xx-fix-whitespace.patch
bcm43xx-add-pci-id-for-bcm4319.patch
bcm43xx-fix-array-overrun-in-bcm43xx_geo_init.patch
capi-crash--race-condition.patch
-
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
