From 3619fd91b831f184d2e544e23cb54d20eed2531e Mon Sep 17 00:00:00 2001 From: Insun Song Date: Wed, 30 Nov 2016 12:00:17 -0800 Subject: net: wireless: bcmdhd: fix hotlist index in wl_cfgvendor_hotlist_cfg add bssid count element to exactly refer in NL-TLV parsing. This change need to sync with /hardware/broadcom/wlan/bcmdhd/wifi_hal/gscan.cpp where GSCAN_ATTRIBUTE_HOTLIST_BSSID_COUNT supposed to be called. Bug: 32474971 Signed-off-by: Insun Song Change-Id: Id2b019bb43fb99b3843fe1b32f59e58c7af7cdad --- drivers/net/wireless/bcmdhd/wl_cfgvendor.c | 39 ++++++++++++++++++++++++------ drivers/net/wireless/bcmdhd/wl_cfgvendor.h | 1 + 2 files changed, 32 insertions(+), 8 deletions(-) diff --git a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c index 420cb2f..3e80169 100644 --- a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c +++ b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c @@ -702,7 +702,7 @@ static int wl_cfgvendor_hotlist_cfg(struct wiphy *wiphy, GFP_KERNEL); if (!hotlist_params) { - WL_ERR(("Cannot Malloc mem to parse config commands size - %d bytes \n", len)); + WL_ERR(("Cannot Malloc mem.\n")); return -ENOMEM; } @@ -711,10 +711,33 @@ static int wl_cfgvendor_hotlist_cfg(struct wiphy *wiphy, nla_for_each_attr(iter, data, len, tmp2) { type = nla_type(iter); switch (type) { + case GSCAN_ATTRIBUTE_HOTLIST_BSSID_COUNT: + if (nla_len(iter) != sizeof(uint32)) { + WL_DBG(("type:%d length:%d not matching.\n", + type, nla_len(inner))); + err = -EINVAL; + goto exit; + } + hotlist_params->nbssid = (uint16)nla_get_u32(iter); + if ((hotlist_params->nbssid == 0) || + (hotlist_params->nbssid > PFN_SWC_MAX_NUM_APS)) { + WL_ERR(("nbssid:%d exceed limit.\n", + hotlist_params->nbssid)); + err = -EINVAL; + goto exit; + } + break; case GSCAN_ATTRIBUTE_HOTLIST_BSSIDS: + if (hotlist_params->nbssid == 0) { + WL_ERR(("nbssid not retrieved.\n")); + err = -EINVAL; + goto exit; + } pbssid = hotlist_params->bssid; nla_for_each_nested(outer, iter, tmp) { nla_for_each_nested(inner, outer, tmp1) { + if (j >= hotlist_params->nbssid) + break; type = nla_type(inner); switch (type) { @@ -751,13 +774,13 @@ static int wl_cfgvendor_hotlist_cfg(struct wiphy *wiphy, break; } } - if (++j > PFN_SWC_MAX_NUM_APS) { - WL_DBG(("nbssid:%d exeed limit.\n", - hotlist_params->nbssid)); - err = -EINVAL; - goto exit; - } - hotlist_params->nbssid = j; + j++; + } + if (j != hotlist_params->nbssid) { + WL_ERR(("bssid_cnt:%d != nbssid:%d.\n", j, + hotlist_params->nbssid)); + err = -EINVAL; + goto exit; } break; case GSCAN_ATTRIBUTE_HOTLIST_FLUSH: diff --git a/drivers/net/wireless/bcmdhd/wl_cfgvendor.h b/drivers/net/wireless/bcmdhd/wl_cfgvendor.h index 58077b3..7d33c62 100644 --- a/drivers/net/wireless/bcmdhd/wl_cfgvendor.h +++ b/drivers/net/wireless/bcmdhd/wl_cfgvendor.h @@ -181,6 +181,7 @@ enum gscan_attributes { GSCAN_ATTRIBUTE_RSSI_HIGH, GSCAN_ATTRIBUTE_HOSTLIST_BSSID_ELEM, GSCAN_ATTRIBUTE_HOTLIST_FLUSH, + GSCAN_ATTRIBUTE_HOTLIST_BSSID_COUNT, /* remaining reserved for additional attributes */ GSCAN_ATTRIBUTE_RSSI_SAMPLE_SIZE = 60, -- cgit v1.1