From 5ee5d67d22c427729374bb4afd0b4ac4c43f4d5c Mon Sep 17 00:00:00 2001 From: kimocoder Date: Sat, 24 Aug 2019 00:56:50 +0200 Subject: [PATCH] Add check for psta->cmn.aid out of bounds --- core/rtw_sta_mgt.c | 24 +++++------------------- 1 file changed, 5 insertions(+), 19 deletions(-) diff --git a/core/rtw_sta_mgt.c b/core/rtw_sta_mgt.c index a3de892..74f196e 100644 --- a/core/rtw_sta_mgt.c +++ b/core/rtw_sta_mgt.c @@ -16,13 +16,6 @@ #include -#if defined(PLATFORM_LINUX) && defined (PLATFORM_WINDOWS) - - #error "Shall be Linux or Windows, but not both!\n" - -#endif - - bool test_st_match_rule(_adapter *adapter, u8 *local_naddr, u8 *local_port, u8 *remote_naddr, u8 *remote_port) { if (ntohs(*((u16 *)local_port)) == 5001 || ntohs(*((u16 *)remote_port)) == 5001) @@ -369,7 +362,6 @@ static void _rtw_free_sta_recv_priv_lock(struct sta_recv_priv *psta_recvpriv) _rtw_spinlock_free(&(psta_recvpriv->defrag_q.lock)); - } void rtw_mfree_stainfo(struct sta_info *psta); @@ -384,7 +376,6 @@ void rtw_mfree_stainfo(struct sta_info *psta) } - /* this function is used to free the memory of lock || sema for all stainfos */ void rtw_mfree_all_stainfo(struct sta_priv *pstapriv); void rtw_mfree_all_stainfo(struct sta_priv *pstapriv) @@ -393,7 +384,6 @@ void rtw_mfree_all_stainfo(struct sta_priv *pstapriv) _list *plist, *phead; struct sta_info *psta = NULL; - _enter_critical_bh(&pstapriv->sta_hash_lock, &irqL); phead = get_list_head(&pstapriv->free_sta_queue); @@ -408,7 +398,6 @@ void rtw_mfree_all_stainfo(struct sta_priv *pstapriv) _exit_critical_bh(&pstapriv->sta_hash_lock, &irqL); - } void rtw_mfree_sta_priv_lock(struct sta_priv *pstapriv); @@ -485,7 +474,6 @@ u32 _rtw_free_sta_priv(struct sta_priv *pstapriv) return _SUCCESS; } - static void rtw_init_recv_timer(struct recv_reorder_ctrl *preorder_ctrl) { _adapter *padapter = preorder_ctrl->padapter; @@ -507,7 +495,6 @@ struct sta_info *rtw_alloc_stainfo(struct sta_priv *pstapriv, const u8 *hwaddr) int i = 0; u16 wRxSeqInitialValue = 0xffff; - pfree_sta_queue = &pstapriv->free_sta_queue; /* _enter_critical_bh(&(pfree_sta_queue->lock), &irqL); */ @@ -528,7 +515,6 @@ struct sta_info *rtw_alloc_stainfo(struct sta_priv *pstapriv, const u8 *hwaddr) index = wifi_mac_hash(hwaddr); - if (index >= NUM_STA) { psta = NULL; goto exit; @@ -583,7 +569,6 @@ struct sta_info *rtw_alloc_stainfo(struct sta_priv *pstapriv, const u8 *hwaddr) rtw_init_recv_timer(preorder_ctrl); } - /* init for DM */ psta->cmn.rssi_stat.rssi = (-1); psta->cmn.rssi_stat.rssi_cck = (-1); @@ -603,14 +588,12 @@ exit: _exit_critical_bh(&(pstapriv->sta_hash_lock), &irqL2); - if (psta) rtw_mi_update_iface_status(&(pstapriv->padapter->mlmepriv), 0); return psta; } - /* using pstapriv->sta_hash_lock to protect */ u32 rtw_free_stainfo(_adapter *padapter , struct sta_info *psta) { @@ -655,7 +638,6 @@ u32 rtw_free_stainfo(_adapter *padapter , struct sta_info *psta) pfree_sta_queue = &pstapriv->free_sta_queue; - pstaxmitpriv = &psta->sta_xmitpriv; /* rtw_list_delete(&psta->sleep_list); */ @@ -711,7 +693,6 @@ u32 rtw_free_stainfo(_adapter *padapter , struct sta_info *psta) _exit_critical_bh(&pxmitpriv->lock, &irqL0); - /* re-init sta_info; 20061114 */ /* will be init in alloc_stainfo */ /* _rtw_init_sta_xmit_priv(&psta->sta_xmitpriv); */ /* _rtw_init_sta_recv_priv(&psta->sta_recvpriv); */ @@ -797,6 +778,11 @@ u32 rtw_free_stainfo(_adapter *padapter , struct sta_info *psta) #ifdef CONFIG_NATIVEAP_MLME + if (psta->cmn.aid > 31) { + pr_err("***** psta->aid (%d) out of bounds\n", psta->cmn.aid); + return _FAIL; + } + if (pmlmeinfo->state == _HW_STATE_AP_) { rtw_tim_map_clear(padapter, pstapriv->sta_dz_bitmap, psta->cmn.aid); rtw_tim_map_clear(padapter, pstapriv->tim_bitmap, psta->cmn.aid);