@@ -980,20 +980,17 @@ static void brcmf_escan_prep(struct brcmf_cfg80211_info *cfg,
980980
981981 eth_broadcast_addr (params_le -> bssid );
982982 params_le -> bss_type = DOT11_BSSTYPE_ANY ;
983- params_le -> scan_type = 0 ;
983+ params_le -> scan_type = BRCMF_SCANTYPE_ACTIVE ;
984984 params_le -> channel_num = 0 ;
985985 params_le -> nprobes = cpu_to_le32 (-1 );
986986 params_le -> active_time = cpu_to_le32 (-1 );
987987 params_le -> passive_time = cpu_to_le32 (-1 );
988988 params_le -> home_time = cpu_to_le32 (-1 );
989989 memset (& params_le -> ssid_le , 0 , sizeof (params_le -> ssid_le ));
990990
991- /* if request is null exit so it will be all channel broadcast scan */
992- if (!request )
993- return ;
994-
995991 n_ssids = request -> n_ssids ;
996992 n_channels = request -> n_channels ;
993+
997994 /* Copy channel array if applicable */
998995 brcmf_dbg (SCAN , "### List of channelspecs to scan ### %d\n" ,
999996 n_channels );
@@ -1030,16 +1027,8 @@ static void brcmf_escan_prep(struct brcmf_cfg80211_info *cfg,
10301027 ptr += sizeof (ssid_le );
10311028 }
10321029 } else {
1033- brcmf_dbg (SCAN , "Broadcast scan %p\n" , request -> ssids );
1034- if ((request -> ssids ) && request -> ssids -> ssid_len ) {
1035- brcmf_dbg (SCAN , "SSID %s len=%d\n" ,
1036- params_le -> ssid_le .SSID ,
1037- request -> ssids -> ssid_len );
1038- params_le -> ssid_le .SSID_len =
1039- cpu_to_le32 (request -> ssids -> ssid_len );
1040- memcpy (& params_le -> ssid_le .SSID , request -> ssids -> ssid ,
1041- request -> ssids -> ssid_len );
1042- }
1030+ brcmf_dbg (SCAN , "Performing passive scan\n" );
1031+ params_le -> scan_type = BRCMF_SCANTYPE_PASSIVE ;
10431032 }
10441033 /* Adding mask to channel numbers */
10451034 params_le -> channel_num =
@@ -3162,6 +3151,7 @@ brcmf_cfg80211_escan_handler(struct brcmf_if *ifp,
31623151 struct brcmf_cfg80211_info * cfg = ifp -> drvr -> config ;
31633152 s32 status ;
31643153 struct brcmf_escan_result_le * escan_result_le ;
3154+ u32 escan_buflen ;
31653155 struct brcmf_bss_info_le * bss_info_le ;
31663156 struct brcmf_bss_info_le * bss = NULL ;
31673157 u32 bi_length ;
@@ -3181,11 +3171,23 @@ brcmf_cfg80211_escan_handler(struct brcmf_if *ifp,
31813171
31823172 if (status == BRCMF_E_STATUS_PARTIAL ) {
31833173 brcmf_dbg (SCAN , "ESCAN Partial result\n" );
3174+ if (e -> datalen < sizeof (* escan_result_le )) {
3175+ brcmf_err ("invalid event data length\n" );
3176+ goto exit ;
3177+ }
31843178 escan_result_le = (struct brcmf_escan_result_le * ) data ;
31853179 if (!escan_result_le ) {
31863180 brcmf_err ("Invalid escan result (NULL pointer)\n" );
31873181 goto exit ;
31883182 }
3183+ escan_buflen = le32_to_cpu (escan_result_le -> buflen );
3184+ if (escan_buflen > BRCMF_ESCAN_BUF_SIZE ||
3185+ escan_buflen > e -> datalen ||
3186+ escan_buflen < sizeof (* escan_result_le )) {
3187+ brcmf_err ("Invalid escan buffer length: %d\n" ,
3188+ escan_buflen );
3189+ goto exit ;
3190+ }
31893191 if (le16_to_cpu (escan_result_le -> bss_count ) != 1 ) {
31903192 brcmf_err ("Invalid bss_count %d: ignoring\n" ,
31913193 escan_result_le -> bss_count );
@@ -3202,9 +3204,8 @@ brcmf_cfg80211_escan_handler(struct brcmf_if *ifp,
32023204 }
32033205
32043206 bi_length = le32_to_cpu (bss_info_le -> length );
3205- if (bi_length != (le32_to_cpu (escan_result_le -> buflen ) -
3206- WL_ESCAN_RESULTS_FIXED_SIZE )) {
3207- brcmf_err ("Invalid bss_info length %d: ignoring\n" ,
3207+ if (bi_length != escan_buflen - WL_ESCAN_RESULTS_FIXED_SIZE ) {
3208+ brcmf_err ("Ignoring invalid bss_info length: %d\n" ,
32083209 bi_length );
32093210 goto exit ;
32103211 }
0 commit comments