mirror of
https://github.com/aircrack-ng/rtl8812au.git
synced 2025-01-19 09:11:34 +00:00
Add check for psta->cmn.aid out of bounds
This commit is contained in:
parent
703d5772d4
commit
5ee5d67d22
@ -16,13 +16,6 @@
|
||||
|
||||
#include <drv_types.h>
|
||||
|
||||
#if defined(PLATFORM_LINUX) && defined (PLATFORM_WINDOWS)
|
||||
|
||||
#error "Shall be Linux or Windows, but not both!\n"
|
||||
|
||||
#endif
|
||||
|
||||
|
||||
bool test_st_match_rule(_adapter *adapter, u8 *local_naddr, u8 *local_port, u8 *remote_naddr, u8 *remote_port)
|
||||
{
|
||||
if (ntohs(*((u16 *)local_port)) == 5001 || ntohs(*((u16 *)remote_port)) == 5001)
|
||||
@ -369,7 +362,6 @@ static void _rtw_free_sta_recv_priv_lock(struct sta_recv_priv *psta_recvpriv)
|
||||
|
||||
_rtw_spinlock_free(&(psta_recvpriv->defrag_q.lock));
|
||||
|
||||
|
||||
}
|
||||
|
||||
void rtw_mfree_stainfo(struct sta_info *psta);
|
||||
@ -384,7 +376,6 @@ void rtw_mfree_stainfo(struct sta_info *psta)
|
||||
|
||||
}
|
||||
|
||||
|
||||
/* this function is used to free the memory of lock || sema for all stainfos */
|
||||
void rtw_mfree_all_stainfo(struct sta_priv *pstapriv);
|
||||
void rtw_mfree_all_stainfo(struct sta_priv *pstapriv)
|
||||
@ -393,7 +384,6 @@ void rtw_mfree_all_stainfo(struct sta_priv *pstapriv)
|
||||
_list *plist, *phead;
|
||||
struct sta_info *psta = NULL;
|
||||
|
||||
|
||||
_enter_critical_bh(&pstapriv->sta_hash_lock, &irqL);
|
||||
|
||||
phead = get_list_head(&pstapriv->free_sta_queue);
|
||||
@ -408,7 +398,6 @@ void rtw_mfree_all_stainfo(struct sta_priv *pstapriv)
|
||||
|
||||
_exit_critical_bh(&pstapriv->sta_hash_lock, &irqL);
|
||||
|
||||
|
||||
}
|
||||
|
||||
void rtw_mfree_sta_priv_lock(struct sta_priv *pstapriv);
|
||||
@ -485,7 +474,6 @@ u32 _rtw_free_sta_priv(struct sta_priv *pstapriv)
|
||||
return _SUCCESS;
|
||||
}
|
||||
|
||||
|
||||
static void rtw_init_recv_timer(struct recv_reorder_ctrl *preorder_ctrl)
|
||||
{
|
||||
_adapter *padapter = preorder_ctrl->padapter;
|
||||
@ -507,7 +495,6 @@ struct sta_info *rtw_alloc_stainfo(struct sta_priv *pstapriv, const u8 *hwaddr)
|
||||
int i = 0;
|
||||
u16 wRxSeqInitialValue = 0xffff;
|
||||
|
||||
|
||||
pfree_sta_queue = &pstapriv->free_sta_queue;
|
||||
|
||||
/* _enter_critical_bh(&(pfree_sta_queue->lock), &irqL); */
|
||||
@ -528,7 +515,6 @@ struct sta_info *rtw_alloc_stainfo(struct sta_priv *pstapriv, const u8 *hwaddr)
|
||||
|
||||
index = wifi_mac_hash(hwaddr);
|
||||
|
||||
|
||||
if (index >= NUM_STA) {
|
||||
psta = NULL;
|
||||
goto exit;
|
||||
@ -583,7 +569,6 @@ struct sta_info *rtw_alloc_stainfo(struct sta_priv *pstapriv, const u8 *hwaddr)
|
||||
rtw_init_recv_timer(preorder_ctrl);
|
||||
}
|
||||
|
||||
|
||||
/* init for DM */
|
||||
psta->cmn.rssi_stat.rssi = (-1);
|
||||
psta->cmn.rssi_stat.rssi_cck = (-1);
|
||||
@ -603,14 +588,12 @@ exit:
|
||||
|
||||
_exit_critical_bh(&(pstapriv->sta_hash_lock), &irqL2);
|
||||
|
||||
|
||||
if (psta)
|
||||
rtw_mi_update_iface_status(&(pstapriv->padapter->mlmepriv), 0);
|
||||
|
||||
return psta;
|
||||
}
|
||||
|
||||
|
||||
/* using pstapriv->sta_hash_lock to protect */
|
||||
u32 rtw_free_stainfo(_adapter *padapter , struct sta_info *psta)
|
||||
{
|
||||
@ -655,7 +638,6 @@ u32 rtw_free_stainfo(_adapter *padapter , struct sta_info *psta)
|
||||
|
||||
pfree_sta_queue = &pstapriv->free_sta_queue;
|
||||
|
||||
|
||||
pstaxmitpriv = &psta->sta_xmitpriv;
|
||||
|
||||
/* rtw_list_delete(&psta->sleep_list); */
|
||||
@ -711,7 +693,6 @@ u32 rtw_free_stainfo(_adapter *padapter , struct sta_info *psta)
|
||||
|
||||
_exit_critical_bh(&pxmitpriv->lock, &irqL0);
|
||||
|
||||
|
||||
/* re-init sta_info; 20061114 */ /* will be init in alloc_stainfo */
|
||||
/* _rtw_init_sta_xmit_priv(&psta->sta_xmitpriv); */
|
||||
/* _rtw_init_sta_recv_priv(&psta->sta_recvpriv); */
|
||||
@ -797,6 +778,11 @@ u32 rtw_free_stainfo(_adapter *padapter , struct sta_info *psta)
|
||||
|
||||
#ifdef CONFIG_NATIVEAP_MLME
|
||||
|
||||
if (psta->cmn.aid > 31) {
|
||||
pr_err("***** psta->aid (%d) out of bounds\n", psta->cmn.aid);
|
||||
return _FAIL;
|
||||
}
|
||||
|
||||
if (pmlmeinfo->state == _HW_STATE_AP_) {
|
||||
rtw_tim_map_clear(padapter, pstapriv->sta_dz_bitmap, psta->cmn.aid);
|
||||
rtw_tim_map_clear(padapter, pstapriv->tim_bitmap, psta->cmn.aid);
|
||||
|
Loading…
Reference in New Issue
Block a user