mirrors/rtl8812au-chinawrj
1
0
Fork 0
mirror of https://github.com/chinawrj/rtl8812au synced 2025-01-24 18:22:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add check for psta->cmn.aid out of bounds

Browse Source
This commit is contained in:
kimocoder 2019-08-24 00:56:50 +02:00
parent 703d5772d4
commit 5ee5d67d22
1 changed files with 5 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
core/rtw_sta_mgt.c
View File

@ -16,13 +16,6 @@
#include <drv_types.h> #include <drv_types.h>
#if defined(PLATFORM_LINUX) && defined (PLATFORM_WINDOWS)
#error "Shall be Linux or Windows, but not both!\n"
#endif
bool test_st_match_rule(_adapter *adapter, u8 *local_naddr, u8 *local_port, u8 *remote_naddr, u8 *remote_port) bool test_st_match_rule(_adapter *adapter, u8 *local_naddr, u8 *local_port, u8 *remote_naddr, u8 *remote_port)
{ {
if (ntohs(*((u16 *)local_port)) == 5001 || ntohs(*((u16 *)remote_port)) == 5001) if (ntohs(*((u16 *)local_port)) == 5001 || ntohs(*((u16 *)remote_port)) == 5001)
@ -369,7 +362,6 @@ static void _rtw_free_sta_recv_priv_lock(struct sta_recv_priv *psta_recvpriv)
_rtw_spinlock_free(&(psta_recvpriv->defrag_q.lock)); _rtw_spinlock_free(&(psta_recvpriv->defrag_q.lock));
} }
void rtw_mfree_stainfo(struct sta_info *psta); void rtw_mfree_stainfo(struct sta_info *psta);
@ -384,7 +376,6 @@ void rtw_mfree_stainfo(struct sta_info *psta)
} }
/* this function is used to free the memory of lock || sema for all stainfos */ /* this function is used to free the memory of lock || sema for all stainfos */
void rtw_mfree_all_stainfo(struct sta_priv *pstapriv); void rtw_mfree_all_stainfo(struct sta_priv *pstapriv);
void rtw_mfree_all_stainfo(struct sta_priv *pstapriv) void rtw_mfree_all_stainfo(struct sta_priv *pstapriv)
@ -393,7 +384,6 @@ void rtw_mfree_all_stainfo(struct sta_priv *pstapriv)
_list *plist, *phead; _list *plist, *phead;
struct sta_info *psta = NULL; struct sta_info *psta = NULL;
_enter_critical_bh(&pstapriv->sta_hash_lock, &irqL); _enter_critical_bh(&pstapriv->sta_hash_lock, &irqL);
phead = get_list_head(&pstapriv->free_sta_queue); phead = get_list_head(&pstapriv->free_sta_queue);
@ -408,7 +398,6 @@ void rtw_mfree_all_stainfo(struct sta_priv *pstapriv)
_exit_critical_bh(&pstapriv->sta_hash_lock, &irqL); _exit_critical_bh(&pstapriv->sta_hash_lock, &irqL);
} }
void rtw_mfree_sta_priv_lock(struct sta_priv *pstapriv); void rtw_mfree_sta_priv_lock(struct sta_priv *pstapriv);
@ -485,7 +474,6 @@ u32 _rtw_free_sta_priv(struct sta_priv *pstapriv)
return _SUCCESS; return _SUCCESS;
} }
static void rtw_init_recv_timer(struct recv_reorder_ctrl *preorder_ctrl) static void rtw_init_recv_timer(struct recv_reorder_ctrl *preorder_ctrl)
{ {
_adapter *padapter = preorder_ctrl->padapter; _adapter *padapter = preorder_ctrl->padapter;
@ -507,7 +495,6 @@ struct sta_info *rtw_alloc_stainfo(struct sta_priv *pstapriv, const u8 *hwaddr)
int i = 0; int i = 0;
u16 wRxSeqInitialValue = 0xffff; u16 wRxSeqInitialValue = 0xffff;
pfree_sta_queue = &pstapriv->free_sta_queue; pfree_sta_queue = &pstapriv->free_sta_queue;
/* _enter_critical_bh(&(pfree_sta_queue->lock), &irqL); */ /* _enter_critical_bh(&(pfree_sta_queue->lock), &irqL); */
@ -528,7 +515,6 @@ struct sta_info *rtw_alloc_stainfo(struct sta_priv *pstapriv, const u8 *hwaddr)
index = wifi_mac_hash(hwaddr); index = wifi_mac_hash(hwaddr);
if (index >= NUM_STA) { if (index >= NUM_STA) {
psta = NULL; psta = NULL;
goto exit; goto exit;
@ -583,7 +569,6 @@ struct sta_info *rtw_alloc_stainfo(struct sta_priv *pstapriv, const u8 *hwaddr)
rtw_init_recv_timer(preorder_ctrl); rtw_init_recv_timer(preorder_ctrl);
} }
/* init for DM */ /* init for DM */
psta->cmn.rssi_stat.rssi = (-1); psta->cmn.rssi_stat.rssi = (-1);
psta->cmn.rssi_stat.rssi_cck = (-1); psta->cmn.rssi_stat.rssi_cck = (-1);
@ -603,14 +588,12 @@ exit:
_exit_critical_bh(&(pstapriv->sta_hash_lock), &irqL2); _exit_critical_bh(&(pstapriv->sta_hash_lock), &irqL2);
if (psta) if (psta)
rtw_mi_update_iface_status(&(pstapriv->padapter->mlmepriv), 0); rtw_mi_update_iface_status(&(pstapriv->padapter->mlmepriv), 0);
return psta; return psta;
} }
/* using pstapriv->sta_hash_lock to protect */ /* using pstapriv->sta_hash_lock to protect */
u32 rtw_free_stainfo(_adapter *padapter , struct sta_info *psta) u32 rtw_free_stainfo(_adapter *padapter , struct sta_info *psta)
{ {
@ -655,7 +638,6 @@ u32 rtw_free_stainfo(_adapter *padapter , struct sta_info *psta)
pfree_sta_queue = &pstapriv->free_sta_queue; pfree_sta_queue = &pstapriv->free_sta_queue;
pstaxmitpriv = &psta->sta_xmitpriv; pstaxmitpriv = &psta->sta_xmitpriv;
/* rtw_list_delete(&psta->sleep_list); */ /* rtw_list_delete(&psta->sleep_list); */
@ -711,7 +693,6 @@ u32 rtw_free_stainfo(_adapter *padapter , struct sta_info *psta)
_exit_critical_bh(&pxmitpriv->lock, &irqL0); _exit_critical_bh(&pxmitpriv->lock, &irqL0);
/* re-init sta_info; 20061114 */ /* will be init in alloc_stainfo */ /* re-init sta_info; 20061114 */ /* will be init in alloc_stainfo */
/* _rtw_init_sta_xmit_priv(&psta->sta_xmitpriv); */ /* _rtw_init_sta_xmit_priv(&psta->sta_xmitpriv); */
/* _rtw_init_sta_recv_priv(&psta->sta_recvpriv); */ /* _rtw_init_sta_recv_priv(&psta->sta_recvpriv); */
@ -797,6 +778,11 @@ u32 rtw_free_stainfo(_adapter *padapter , struct sta_info *psta)
#ifdef CONFIG_NATIVEAP_MLME #ifdef CONFIG_NATIVEAP_MLME
if (psta->cmn.aid > 31) {
pr_err("***** psta->aid (%d) out of bounds\n", psta->cmn.aid);
return _FAIL;
}
if (pmlmeinfo->state == _HW_STATE_AP_) { if (pmlmeinfo->state == _HW_STATE_AP_) {
rtw_tim_map_clear(padapter, pstapriv->sta_dz_bitmap, psta->cmn.aid); rtw_tim_map_clear(padapter, pstapriv->sta_dz_bitmap, psta->cmn.aid);
rtw_tim_map_clear(padapter, pstapriv->tim_bitmap, psta->cmn.aid); rtw_tim_map_clear(padapter, pstapriv->tim_bitmap, psta->cmn.aid);