If a rates information element is received that is larger than we will accept, simply take the first maximum size elements and continue, rather than BUG'ing out.

git-svn-id: http://madwifi-project.org/svn/madwifi/trunk@2736 0192ed92-7a03-0410-a25b-9323aeb14dbd

net80211/_ieee80211.h

@@ -225,6 +225,8 @@ struct ieee80211_channel {
  */
 #define	IEEE80211_RATE_SIZE	8		/* 802.11 standard */
 #define	IEEE80211_RATE_MAXSIZE	15		/* max rates we'll handle */
+#define	IEEE80211_SANITISE_RATESIZE(_rsz) \
+	((_rsz > IEEE80211_RATE_MAXSIZE) ? IEEE80211_RATE_MAXSIZE : _rsz)
 
 struct ieee80211_rateset {
 	u_int8_t rs_nrates;

net80211/ieee80211_scan_ap.c

@@ -511,31 +511,30 @@ ap_add(struct ieee80211_scan_state *ss, const struct ieee80211_scanparams *sp,
 	IEEE80211_ADDR_COPY(se->base.se_macaddr, macaddr);
 	TAILQ_INSERT_TAIL(&as->as_entry, se, se_list);
 	LIST_INSERT_HEAD(&as->as_hash[hash], se, se_hash);
+
 found:
 	ise = &se->base;
-	/* XXX ap beaconing multiple ssid w/ same bssid */
-	if (sp->ssid[1] != 0 &&
-	    ((subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP) || ise->se_ssid[1] == 0))
-	{
+
+	/* XXX: AP beaconing multiple SSID w/ same BSSID */
+	if ((sp->ssid[1] != 0) &&
+	    ((subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP) || 
+	     (ise->se_ssid[1] == 0)))
 		memcpy(ise->se_ssid, sp->ssid, 2 + sp->ssid[1]);
-        }
-	KASSERT(sp->rates[1] <= IEEE80211_RATE_MAXSIZE,
-		("rate set too large: %u", sp->rates[1]));
-	memcpy(ise->se_rates, sp->rates, 2 + sp->rates[1]);
+
+	memcpy(ise->se_rates, sp->rates, 
+		IEEE80211_SANITISE_RATESIZE(2 + sp->rates[1]));
 	if (sp->xrates != NULL) {
-		/* XXX validate xrates[1] */
-		KASSERT(sp->xrates[1] <= IEEE80211_RATE_MAXSIZE,
-			("xrate set too large: %u", sp->xrates[1]));
-		memcpy(ise->se_xrates, sp->xrates, 2 + sp->xrates[1]);
+		memcpy(ise->se_xrates, sp->xrates, 
+				IEEE80211_SANITISE_RATESIZE(2 + sp->xrates[1]));
 	} else
 		ise->se_xrates[1] = 0;
+
 	IEEE80211_ADDR_COPY(ise->se_bssid, wh->i_addr3);
-	/*
-	 * Record rssi data using extended precision LPF filter.
-	 */
-	if (se->se_lastupdate == 0)		/* first sample */
+
+	/* Record RSSI data using extended precision LPF filter.*/
+	if (se->se_lastupdate == 0)			/* First sample */
 		se->se_avgrssi = RSSI_IN(rssi);
-	else					/* avg w/ previous samples */
+	else					/* Avg. w/ previous samples */
 		RSSI_LPF(se->se_avgrssi, rssi);
 	se->base.se_rssi = RSSI_GET(se->se_avgrssi);
 	ise->se_rtsf = rtsf;

net80211/ieee80211_scan_sta.c

@@ -247,22 +247,23 @@ sta_add(struct ieee80211_scan_state *ss, const struct ieee80211_scanparams *sp,
 	IEEE80211_ADDR_COPY(se->base.se_macaddr, macaddr);
 	TAILQ_INSERT_TAIL(&st->st_entry, se, se_list);
 	LIST_INSERT_HEAD(&st->st_hash[hash], se, se_hash);
+
 found:
 	ise = &se->base;
+
 	/* XXX ap beaconing multiple ssid w/ same bssid */
 	if (sp->ssid[1] != 0 &&
 	    (ISPROBE(subtype) || ise->se_ssid[1] == 0))
 		memcpy(ise->se_ssid, sp->ssid, 2 + sp->ssid[1]);
-	KASSERT(sp->rates[1] <= IEEE80211_RATE_MAXSIZE,
-		("rate set too large: %u", sp->rates[1]));
-	memcpy(ise->se_rates, sp->rates, 2 + sp->rates[1]);
+
+	memcpy(ise->se_rates, sp->rates, 
+			2 + IEEE80211_SANITISE_RATESIZE(sp->rates[1]));
 	if (sp->xrates != NULL) {
-		/* XXX validate xrates[1] */
-		KASSERT(sp->xrates[1] <= IEEE80211_RATE_MAXSIZE,
-			("xrate set too large: %u", sp->xrates[1]));
-		memcpy(ise->se_xrates, sp->xrates, 2 + sp->xrates[1]);
+		memcpy(ise->se_xrates, sp->xrates, 
+				2 + IEEE80211_SANITISE_RATESIZE(sp->xrates[1]));
 	} else
 		ise->se_xrates[1] = 0;
+
 	IEEE80211_ADDR_COPY(ise->se_bssid, wh->i_addr3);
 	/*
 	 * Record rssi data using extended precision LPF filter.