athk6l: Fix channel list processing in scan requests

Limit the length of the channel list to WMI_MAX_CHANNELS to avoid rejection of the request in wmi.c. Since there is not really much point in using a specific list of more than 32 channels, drop the channel list if more channels are specified and scan all channels. Fix cfg80211 scan API use: ar->scan_req must be set only if returning success from scan() handler. The previous version would result in use of freed memory and likely kernel panic should the scan request fail to be sent to the target. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
git-mirror · Sep 5, 2011 · 11869be · 11869be
1 parent 252c068
commit 11869be
Showing 1 changed file with 10 additions and 4 deletions.
diff --git a/drivers/net/wireless/ath/ath6kl/cfg80211.c b/drivers/net/wireless/ath/ath6kl/cfg80211.c
@@ -793,10 +793,16 @@ static int ath6kl_cfg80211_scan(struct wiphy *wiphy, struct net_device *ndev,
 		}
 	}
 
-	if (request->n_channels > 0) {
+	/*
+	 * Scan only the requested channels if the request specifies a set of
+	 * channels. If the list is longer than the target supports, do not
+	 * configure the list and instead, scan all available channels.
+	 */
+	if (request->n_channels > 0 &&
+	    request->n_channels <= WMI_MAX_CHANNELS) {
 		u8 i;
 
-		n_channels = min(127U, request->n_channels);
+		n_channels = request->n_channels;
 
 		channels = kzalloc(n_channels * sizeof(u16), GFP_KERNEL);
 		if (channels == NULL) {
@@ -813,8 +819,8 @@ static int ath6kl_cfg80211_scan(struct wiphy *wiphy, struct net_device *ndev,
 				       false, 0, 0, n_channels, channels);
 	if (ret)
 		ath6kl_err("wmi_startscan_cmd failed\n");
-
-	ar->scan_req = request;
+	else
+		ar->scan_req = request;
 
 	kfree(channels);