diff options
| author | Cy Schubert <cy@FreeBSD.org> | 2017-10-18 03:44:27 +0000 |
|---|---|---|
| committer | Cy Schubert <cy@FreeBSD.org> | 2017-10-18 03:44:27 +0000 |
| commit | 256810032c472505440606bd9c1c4f7dbf06b0a2 (patch) | |
| tree | d019f4f1ae29b86cbd3e9e74f832689976a267cf /src/drivers/driver_hostap.c | |
| parent | b834757ea3bcd1bba3381ff7cab216458d8f7efb (diff) | |
Diffstat (limited to 'src/drivers/driver_hostap.c')
| -rw-r--r-- | src/drivers/driver_hostap.c | 19 |
1 files changed, 10 insertions, 9 deletions
diff --git a/src/drivers/driver_hostap.c b/src/drivers/driver_hostap.c index a7aa5eff00bd9..517a3bbb5d308 100644 --- a/src/drivers/driver_hostap.c +++ b/src/drivers/driver_hostap.c @@ -258,7 +258,8 @@ static int hostap_init_sockets(struct hostap_driver_data *drv, u8 *own_addr) static int hostap_send_mlme(void *priv, const u8 *msg, size_t len, int noack, - unsigned int freq) + unsigned int freq, + const u16 *csa_offs, size_t csa_offs_len) { struct hostap_driver_data *drv = priv; struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) msg; @@ -307,7 +308,7 @@ static int hostap_send_eapol(void *priv, const u8 *addr, const u8 *data, pos += 2; memcpy(pos, data, data_len); - res = hostap_send_mlme(drv, (u8 *) hdr, len, 0, 0); + res = hostap_send_mlme(drv, (u8 *) hdr, len, 0, 0, NULL, 0); if (res < 0) { wpa_printf(MSG_ERROR, "hostap_send_eapol - packet len: %lu - " "failed: %d (%s)", @@ -813,7 +814,7 @@ hostapd_wireless_event_wireless_custom(struct hostap_driver_data *drv, static void hostapd_wireless_event_wireless(struct hostap_driver_data *drv, - char *data, int len) + char *data, unsigned int len) { struct iw_event iwe_buf, *iwe = &iwe_buf; char *pos, *end, *custom, *buf; @@ -821,13 +822,13 @@ static void hostapd_wireless_event_wireless(struct hostap_driver_data *drv, pos = data; end = data + len; - while (pos + IW_EV_LCP_LEN <= end) { + while ((size_t) (end - pos) >= IW_EV_LCP_LEN) { /* Event data may be unaligned, so make a local, aligned copy * before processing. */ memcpy(&iwe_buf, pos, IW_EV_LCP_LEN); wpa_printf(MSG_DEBUG, "Wireless event: cmd=0x%x len=%d", iwe->cmd, iwe->len); - if (iwe->len <= IW_EV_LCP_LEN) + if (iwe->len <= IW_EV_LCP_LEN || iwe->len > end - pos) return; custom = pos + IW_EV_POINT_LEN; @@ -846,7 +847,7 @@ static void hostapd_wireless_event_wireless(struct hostap_driver_data *drv, switch (iwe->cmd) { case IWEVCUSTOM: - if (custom + iwe->u.data.length > end) + if (iwe->u.data.length > end - custom) return; buf = malloc(iwe->u.data.length + 1); if (buf == NULL) @@ -1045,7 +1046,7 @@ static int hostap_sta_deauth(void *priv, const u8 *own_addr, const u8 *addr, memcpy(mgmt.bssid, own_addr, ETH_ALEN); mgmt.u.deauth.reason_code = host_to_le16(reason); return hostap_send_mlme(drv, (u8 *) &mgmt, IEEE80211_HDRLEN + - sizeof(mgmt.u.deauth), 0, 0); + sizeof(mgmt.u.deauth), 0, 0, NULL, 0); } @@ -1083,7 +1084,7 @@ static int hostap_sta_disassoc(void *priv, const u8 *own_addr, const u8 *addr, memcpy(mgmt.bssid, own_addr, ETH_ALEN); mgmt.u.disassoc.reason_code = host_to_le16(reason); return hostap_send_mlme(drv, (u8 *) &mgmt, IEEE80211_HDRLEN + - sizeof(mgmt.u.disassoc), 0, 0); + sizeof(mgmt.u.disassoc), 0, 0, NULL, 0); } @@ -1161,7 +1162,7 @@ static void wpa_driver_hostap_poll_client(void *priv, const u8 *own_addr, os_memcpy(hdr.IEEE80211_BSSID_FROMDS, own_addr, ETH_ALEN); os_memcpy(hdr.IEEE80211_SA_FROMDS, own_addr, ETH_ALEN); - hostap_send_mlme(priv, (u8 *)&hdr, sizeof(hdr), 0, 0); + hostap_send_mlme(priv, (u8 *)&hdr, sizeof(hdr), 0, 0, NULL, 0); } |