From 83a58db918eba7a0384292e4cebecb8bdef182cb Mon Sep 17 00:00:00 2001 From: mentor Date: Thu, 11 Oct 2007 15:40:49 +0000 Subject: [PATCH] If a rates information element is received that is larger than we will accept, simply take the first maximum size elements and continue, rather than BUG'ing out. git-svn-id: http://madwifi-project.org/svn/madwifi/trunk@2736 0192ed92-7a03-0410-a25b-9323aeb14dbd --- net80211/_ieee80211.h | 2 ++ net80211/ieee80211_scan_ap.c | 33 ++++++++++++++++----------------- net80211/ieee80211_scan_sta.c | 15 ++++++++------- 3 files changed, 26 insertions(+), 24 deletions(-) diff --git a/net80211/_ieee80211.h b/net80211/_ieee80211.h index 82d3dbb..dfa5fc2 100644 --- a/net80211/_ieee80211.h +++ b/net80211/_ieee80211.h @@ -225,6 +225,8 @@ struct ieee80211_channel { */ #define IEEE80211_RATE_SIZE 8 /* 802.11 standard */ #define IEEE80211_RATE_MAXSIZE 15 /* max rates we'll handle */ +#define IEEE80211_SANITISE_RATESIZE(_rsz) \ + ((_rsz > IEEE80211_RATE_MAXSIZE) ? IEEE80211_RATE_MAXSIZE : _rsz) struct ieee80211_rateset { u_int8_t rs_nrates; diff --git a/net80211/ieee80211_scan_ap.c b/net80211/ieee80211_scan_ap.c index c1a9df4..8509c63 100644 --- a/net80211/ieee80211_scan_ap.c +++ b/net80211/ieee80211_scan_ap.c @@ -511,31 +511,30 @@ ap_add(struct ieee80211_scan_state *ss, const struct ieee80211_scanparams *sp, IEEE80211_ADDR_COPY(se->base.se_macaddr, macaddr); TAILQ_INSERT_TAIL(&as->as_entry, se, se_list); LIST_INSERT_HEAD(&as->as_hash[hash], se, se_hash); + found: ise = &se->base; - /* XXX ap beaconing multiple ssid w/ same bssid */ - if (sp->ssid[1] != 0 && - ((subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP) || ise->se_ssid[1] == 0)) - { + + /* XXX: AP beaconing multiple SSID w/ same BSSID */ + if ((sp->ssid[1] != 0) && + ((subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP) || + (ise->se_ssid[1] == 0))) memcpy(ise->se_ssid, sp->ssid, 2 + sp->ssid[1]); - } - KASSERT(sp->rates[1] <= IEEE80211_RATE_MAXSIZE, - ("rate set too large: %u", sp->rates[1])); - memcpy(ise->se_rates, sp->rates, 2 + sp->rates[1]); + + memcpy(ise->se_rates, sp->rates, + IEEE80211_SANITISE_RATESIZE(2 + sp->rates[1])); if (sp->xrates != NULL) { - /* XXX validate xrates[1] */ - KASSERT(sp->xrates[1] <= IEEE80211_RATE_MAXSIZE, - ("xrate set too large: %u", sp->xrates[1])); - memcpy(ise->se_xrates, sp->xrates, 2 + sp->xrates[1]); + memcpy(ise->se_xrates, sp->xrates, + IEEE80211_SANITISE_RATESIZE(2 + sp->xrates[1])); } else ise->se_xrates[1] = 0; + IEEE80211_ADDR_COPY(ise->se_bssid, wh->i_addr3); - /* - * Record rssi data using extended precision LPF filter. - */ - if (se->se_lastupdate == 0) /* first sample */ + + /* Record RSSI data using extended precision LPF filter.*/ + if (se->se_lastupdate == 0) /* First sample */ se->se_avgrssi = RSSI_IN(rssi); - else /* avg w/ previous samples */ + else /* Avg. w/ previous samples */ RSSI_LPF(se->se_avgrssi, rssi); se->base.se_rssi = RSSI_GET(se->se_avgrssi); ise->se_rtsf = rtsf; diff --git a/net80211/ieee80211_scan_sta.c b/net80211/ieee80211_scan_sta.c index 76de10e..c5e26df 100644 --- a/net80211/ieee80211_scan_sta.c +++ b/net80211/ieee80211_scan_sta.c @@ -247,22 +247,23 @@ sta_add(struct ieee80211_scan_state *ss, const struct ieee80211_scanparams *sp, IEEE80211_ADDR_COPY(se->base.se_macaddr, macaddr); TAILQ_INSERT_TAIL(&st->st_entry, se, se_list); LIST_INSERT_HEAD(&st->st_hash[hash], se, se_hash); + found: ise = &se->base; + /* XXX ap beaconing multiple ssid w/ same bssid */ if (sp->ssid[1] != 0 && (ISPROBE(subtype) || ise->se_ssid[1] == 0)) memcpy(ise->se_ssid, sp->ssid, 2 + sp->ssid[1]); - KASSERT(sp->rates[1] <= IEEE80211_RATE_MAXSIZE, - ("rate set too large: %u", sp->rates[1])); - memcpy(ise->se_rates, sp->rates, 2 + sp->rates[1]); + + memcpy(ise->se_rates, sp->rates, + 2 + IEEE80211_SANITISE_RATESIZE(sp->rates[1])); if (sp->xrates != NULL) { - /* XXX validate xrates[1] */ - KASSERT(sp->xrates[1] <= IEEE80211_RATE_MAXSIZE, - ("xrate set too large: %u", sp->xrates[1])); - memcpy(ise->se_xrates, sp->xrates, 2 + sp->xrates[1]); + memcpy(ise->se_xrates, sp->xrates, + 2 + IEEE80211_SANITISE_RATESIZE(sp->xrates[1])); } else ise->se_xrates[1] = 0; + IEEE80211_ADDR_COPY(ise->se_bssid, wh->i_addr3); /* * Record rssi data using extended precision LPF filter.