source: branches/chaos_calmer/package/kernel/mac80211/patches/351-0046-brcmfmac-fix-out-of-bound-access-on-clearing-wowl-wa.patch @ 49407

Last change on this file since 49407 was 49407, checked in by rmilecki, 12 months ago

mac80211: brcmfmac: backport changes from 2016-09-27

This fixes memory leaks, some possible crashes and bug that could cause
WARNING on every add_key/del_key call. It also replaces WARNING with
a simple message. They may still occur e.g. on station going out of
range and A-MPDU stall in the firmware.

Signed-off-by: Rafał Miłecki <rafal@…>

File size: 1.9 KB
  • drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c

    From a7ed7828ecda0c2b5e0d7f55dedd4230afd4b583 Mon Sep 17 00:00:00 2001
    From: Hante Meuleman <>
    Date: Mon, 19 Sep 2016 12:09:58 +0100
    Subject: [PATCH] brcmfmac: fix out of bound access on clearing wowl wake
    Clearing the wowl wakeindicator happens with a rather odd
    construction where the string "clear" is used to set the iovar
    wowl_wakeind. This was implemented incorrectly as it caused an
    out of bound access. Use an intermediate variable of correct
    length and copy string in that. Problem was found using coverity.
    Reviewed-by: Arend Van Spriel <>
    Reviewed-by: Franky Lin <>
    Reviewed-by: Pieter-Paul Giesberts <>
    Signed-off-by: Hante Meuleman <>
    Signed-off-by: Arend van Spriel <>
    Signed-off-by: Kalle Valo <>
     drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 6 ++++--
     1 file changed, 4 insertions(+), 2 deletions(-)
    a b static void brcmf_configure_wowl(struct 
    36233623                                 struct cfg80211_wowlan *wowl) 
    36253625        u32 wowl_config; 
     3626        struct brcmf_wowl_wakeind_le wowl_wakeind; 
    36263627        u32 i; 
    36283629        brcmf_dbg(TRACE, "Suspend, wowl config.\n"); 
    static void brcmf_configure_wowl(struct 
    36643665        if (!test_bit(BRCMF_VIF_STATUS_CONNECTED, &ifp->vif->sme_state)) 
    36653666                wowl_config |= BRCMF_WOWL_UNASSOC; 
    3667         brcmf_fil_iovar_data_set(ifp, "wowl_wakeind", "clear", 
    3668                                  sizeof(struct brcmf_wowl_wakeind_le)); 
     3668        memcpy(&wowl_wakeind, "clear", 6); 
     3669        brcmf_fil_iovar_data_set(ifp, "wowl_wakeind", &wowl_wakeind, 
     3670                                 sizeof(wowl_wakeind)); 
    36693671        brcmf_fil_iovar_int_set(ifp, "wowl", wowl_config); 
    36703672        brcmf_fil_iovar_int_set(ifp, "wowl_activate", 1); 
    36713673        brcmf_bus_wowl_config(cfg->pub->bus_if, true); 
Note: See TracBrowser for help on using the repository browser.