qtnfmac: cleanup alignment in firmware communication protocol

Make sure that all elements in QLINK protocol message are aligned to
4 bytes. For this purpose add necessary amount of padding bytes to
each message. Besides, add padding for non-aligned variable length
fields, e.g. SSID, so that the first byte of the next variable length
element is aligned. to 4 bytes. Finally, introduce TLV parsing helpers
to reduce boilerplate TLV parsing code.

Signed-off-by: Igor Mitsyanko <igor.mitsyanko.os@quantenna.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
This commit is contained in:
Igor Mitsyanko 2020-01-27 10:46:53 +00:00 committed by Kalle Valo
parent 0d18a9c0a3
commit 8b0b5f1ba9
4 changed files with 104 additions and 162 deletions

View File

@ -175,7 +175,8 @@ static void qtnf_cmd_tlv_ie_set_add(struct sk_buff *cmd_skb, u8 frame_type,
{ {
struct qlink_tlv_ie_set *tlv; struct qlink_tlv_ie_set *tlv;
tlv = (struct qlink_tlv_ie_set *)skb_put(cmd_skb, sizeof(*tlv) + len); tlv = (struct qlink_tlv_ie_set *)skb_put(cmd_skb, sizeof(*tlv) +
round_up(len, QLINK_ALIGN));
tlv->hdr.type = cpu_to_le16(QTN_TLV_ID_IE_SET); tlv->hdr.type = cpu_to_le16(QTN_TLV_ID_IE_SET);
tlv->hdr.len = cpu_to_le16(len + sizeof(*tlv) - sizeof(tlv->hdr)); tlv->hdr.len = cpu_to_le16(len + sizeof(*tlv) - sizeof(tlv->hdr));
tlv->type = frame_type; tlv->type = frame_type;
@ -190,20 +191,24 @@ static bool qtnf_cmd_start_ap_can_fit(const struct qtnf_vif *vif,
{ {
unsigned int len = sizeof(struct qlink_cmd_start_ap); unsigned int len = sizeof(struct qlink_cmd_start_ap);
len += s->ssid_len; len += round_up(s->ssid_len, QLINK_ALIGN);
len += s->beacon.head_len; len += round_up(s->beacon.head_len, QLINK_ALIGN);
len += s->beacon.tail_len; len += round_up(s->beacon.tail_len, QLINK_ALIGN);
len += s->beacon.beacon_ies_len; len += round_up(s->beacon.beacon_ies_len, QLINK_ALIGN);
len += s->beacon.proberesp_ies_len; len += round_up(s->beacon.proberesp_ies_len, QLINK_ALIGN);
len += s->beacon.assocresp_ies_len; len += round_up(s->beacon.assocresp_ies_len, QLINK_ALIGN);
len += s->beacon.probe_resp_len; len += round_up(s->beacon.probe_resp_len, QLINK_ALIGN);
if (cfg80211_chandef_valid(&s->chandef)) if (cfg80211_chandef_valid(&s->chandef))
len += sizeof(struct qlink_tlv_chandef); len += sizeof(struct qlink_tlv_chandef);
if (s->acl) if (s->acl) {
unsigned int acl_len = struct_size(s->acl, mac_addrs,
s->acl->n_acl_entries);
len += sizeof(struct qlink_tlv_hdr) + len += sizeof(struct qlink_tlv_hdr) +
struct_size(s->acl, mac_addrs, s->acl->n_acl_entries); round_up(acl_len, QLINK_ALIGN);
}
if (len > (sizeof(struct qlink_cmd) + QTNF_MAX_CMD_BUF_SIZE)) { if (len > (sizeof(struct qlink_cmd) + QTNF_MAX_CMD_BUF_SIZE)) {
pr_err("VIF%u.%u: can not fit AP settings: %u\n", pr_err("VIF%u.%u: can not fit AP settings: %u\n",
@ -315,7 +320,8 @@ int qtnf_cmd_send_start_ap(struct qtnf_vif *vif,
if (s->ht_cap) { if (s->ht_cap) {
struct qlink_tlv_hdr *tlv = (struct qlink_tlv_hdr *) struct qlink_tlv_hdr *tlv = (struct qlink_tlv_hdr *)
skb_put(cmd_skb, sizeof(*tlv) + sizeof(*s->ht_cap)); skb_put(cmd_skb, sizeof(*tlv) +
round_up(sizeof(*s->ht_cap), QLINK_ALIGN));
tlv->type = cpu_to_le16(WLAN_EID_HT_CAPABILITY); tlv->type = cpu_to_le16(WLAN_EID_HT_CAPABILITY);
tlv->len = cpu_to_le16(sizeof(*s->ht_cap)); tlv->len = cpu_to_le16(sizeof(*s->ht_cap));
@ -339,7 +345,8 @@ int qtnf_cmd_send_start_ap(struct qtnf_vif *vif,
size_t acl_size = struct_size(s->acl, mac_addrs, size_t acl_size = struct_size(s->acl, mac_addrs,
s->acl->n_acl_entries); s->acl->n_acl_entries);
struct qlink_tlv_hdr *tlv = struct qlink_tlv_hdr *tlv =
skb_put(cmd_skb, sizeof(*tlv) + acl_size); skb_put(cmd_skb,
sizeof(*tlv) + round_up(acl_size, QLINK_ALIGN));
tlv->type = cpu_to_le16(QTN_TLV_ID_ACL_DATA); tlv->type = cpu_to_le16(QTN_TLV_ID_ACL_DATA);
tlv->len = cpu_to_le16(acl_size); tlv->len = cpu_to_le16(acl_size);
@ -581,10 +588,10 @@ qtnf_sta_info_parse_flags(struct nl80211_sta_flag_update *dst,
} }
static void static void
qtnf_cmd_sta_info_parse(struct station_info *sinfo, qtnf_cmd_sta_info_parse(struct station_info *sinfo, const u8 *data,
const struct qlink_tlv_hdr *tlv,
size_t resp_size) size_t resp_size)
{ {
const struct qlink_tlv_hdr *tlv;
const struct qlink_sta_stats *stats = NULL; const struct qlink_sta_stats *stats = NULL;
const u8 *map = NULL; const u8 *map = NULL;
unsigned int map_len = 0; unsigned int map_len = 0;
@ -595,7 +602,7 @@ qtnf_cmd_sta_info_parse(struct station_info *sinfo,
(qtnf_utils_is_bit_set(map, bitn, map_len) && \ (qtnf_utils_is_bit_set(map, bitn, map_len) && \
(offsetofend(struct qlink_sta_stats, stat_name) <= stats_len)) (offsetofend(struct qlink_sta_stats, stat_name) <= stats_len))
while (resp_size >= sizeof(*tlv)) { qlink_for_each_tlv(tlv, data, resp_size) {
tlv_len = le16_to_cpu(tlv->len); tlv_len = le16_to_cpu(tlv->len);
switch (le16_to_cpu(tlv->type)) { switch (le16_to_cpu(tlv->type)) {
@ -610,9 +617,11 @@ qtnf_cmd_sta_info_parse(struct station_info *sinfo,
default: default:
break; break;
} }
}
resp_size -= tlv_len + sizeof(*tlv); if (!qlink_tlv_parsing_ok(tlv, data, resp_size)) {
tlv = (const struct qlink_tlv_hdr *)(tlv->val + tlv_len); pr_err("Malformed TLV buffer\n");
return;
} }
if (!map || !stats) if (!map || !stats)
@ -736,9 +745,7 @@ int qtnf_cmd_get_sta_info(struct qtnf_vif *vif, const u8 *sta_mac,
goto out; goto out;
} }
qtnf_cmd_sta_info_parse(sinfo, qtnf_cmd_sta_info_parse(sinfo, resp->info, var_resp_len);
(const struct qlink_tlv_hdr *)resp->info,
var_resp_len);
out: out:
qtnf_bus_unlock(vif->mac->bus); qtnf_bus_unlock(vif->mac->bus);
@ -907,18 +914,10 @@ qtnf_cmd_resp_proc_hw_info(struct qtnf_bus *bus,
plat_id = le32_to_cpu(resp->plat_id); plat_id = le32_to_cpu(resp->plat_id);
hw_ver = le32_to_cpu(resp->hw_ver); hw_ver = le32_to_cpu(resp->hw_ver);
tlv = (const struct qlink_tlv_hdr *)resp->info; qlink_for_each_tlv(tlv, resp->info, info_len) {
while (info_len >= sizeof(*tlv)) {
tlv_type = le16_to_cpu(tlv->type); tlv_type = le16_to_cpu(tlv->type);
tlv_len = le16_to_cpu(tlv->len); tlv_len = le16_to_cpu(tlv->len);
if (tlv_len + sizeof(*tlv) > info_len) {
pr_warn("malformed TLV 0x%.2X; LEN: %u\n",
tlv_type, tlv_len);
return -EINVAL;
}
switch (tlv_type) { switch (tlv_type) {
case QTN_TLV_ID_BUILD_NAME: case QTN_TLV_ID_BUILD_NAME:
bld_name = (const void *)tlv->val; bld_name = (const void *)tlv->val;
@ -948,9 +947,11 @@ qtnf_cmd_resp_proc_hw_info(struct qtnf_bus *bus,
default: default:
break; break;
} }
}
info_len -= tlv_len + sizeof(*tlv); if (!qlink_tlv_parsing_ok(tlv, resp->info, info_len)) {
tlv = (struct qlink_tlv_hdr *)(tlv->val + tlv_len); pr_err("Malformed TLV buffer\n");
return -EINVAL;
} }
pr_info("\nBuild name: %s\n" pr_info("\nBuild name: %s\n"
@ -1019,7 +1020,6 @@ qtnf_parse_variable_mac_info(struct qtnf_wmac *mac,
const struct qlink_resp_get_mac_info *resp, const struct qlink_resp_get_mac_info *resp,
size_t tlv_buf_size) size_t tlv_buf_size)
{ {
const u8 *tlv_buf = resp->var_info;
struct ieee80211_iface_combination *comb = mac->macinfo.if_comb; struct ieee80211_iface_combination *comb = mac->macinfo.if_comb;
size_t n_comb = 0; size_t n_comb = 0;
struct ieee80211_iface_limit *limits; struct ieee80211_iface_limit *limits;
@ -1029,7 +1029,6 @@ qtnf_parse_variable_mac_info(struct qtnf_wmac *mac,
u16 rec_len; u16 rec_len;
u16 tlv_type; u16 tlv_type;
u16 tlv_value_len; u16 tlv_value_len;
size_t tlv_full_len;
const struct qlink_tlv_hdr *tlv; const struct qlink_tlv_hdr *tlv;
u8 *ext_capa = NULL; u8 *ext_capa = NULL;
u8 *ext_capa_mask = NULL; u8 *ext_capa_mask = NULL;
@ -1068,16 +1067,9 @@ qtnf_parse_variable_mac_info(struct qtnf_wmac *mac,
break; break;
} }
tlv = (const struct qlink_tlv_hdr *)tlv_buf; qlink_for_each_tlv(tlv, resp->var_info, tlv_buf_size) {
while (tlv_buf_size >= sizeof(struct qlink_tlv_hdr)) {
tlv_type = le16_to_cpu(tlv->type); tlv_type = le16_to_cpu(tlv->type);
tlv_value_len = le16_to_cpu(tlv->len); tlv_value_len = le16_to_cpu(tlv->len);
tlv_full_len = tlv_value_len + sizeof(struct qlink_tlv_hdr);
if (tlv_full_len > tlv_buf_size) {
pr_warn("MAC%u: malformed TLV 0x%.2X; LEN: %u\n",
mac->macid, tlv_type, tlv_value_len);
return -EINVAL;
}
switch (tlv_type) { switch (tlv_type) {
case QTN_TLV_ID_IFACE_LIMIT: case QTN_TLV_ID_IFACE_LIMIT:
@ -1183,14 +1175,10 @@ qtnf_parse_variable_mac_info(struct qtnf_wmac *mac,
mac->macid, tlv_type); mac->macid, tlv_type);
break; break;
} }
tlv_buf_size -= tlv_full_len;
tlv = (struct qlink_tlv_hdr *)(tlv->val + tlv_value_len);
} }
if (tlv_buf_size) { if (!qlink_tlv_parsing_ok(tlv, resp->var_info, tlv_buf_size)) {
pr_warn("MAC%u: malformed TLV buf; bytes left: %zu\n", pr_err("Malformed TLV buffer\n");
mac->macid, tlv_buf_size);
return -EINVAL; return -EINVAL;
} }
@ -1383,7 +1371,6 @@ qtnf_cmd_resp_fill_band_info(struct ieee80211_supported_band *band,
size_t payload_len) size_t payload_len)
{ {
u16 tlv_type; u16 tlv_type;
size_t tlv_len;
size_t tlv_dlen; size_t tlv_dlen;
const struct qlink_tlv_hdr *tlv; const struct qlink_tlv_hdr *tlv;
const struct qlink_channel *qchan; const struct qlink_channel *qchan;
@ -1418,24 +1405,15 @@ qtnf_cmd_resp_fill_band_info(struct ieee80211_supported_band *band,
return -ENOMEM; return -ENOMEM;
} }
tlv = (struct qlink_tlv_hdr *)resp->info; qlink_for_each_tlv(tlv, resp->info, payload_len) {
while (payload_len >= sizeof(*tlv)) {
tlv_type = le16_to_cpu(tlv->type); tlv_type = le16_to_cpu(tlv->type);
tlv_dlen = le16_to_cpu(tlv->len); tlv_dlen = le16_to_cpu(tlv->len);
tlv_len = tlv_dlen + sizeof(*tlv);
if (tlv_len > payload_len) {
pr_warn("malformed TLV 0x%.2X; LEN: %zu\n",
tlv_type, tlv_len);
goto error_ret;
}
switch (tlv_type) { switch (tlv_type) {
case QTN_TLV_ID_CHANNEL: case QTN_TLV_ID_CHANNEL:
if (unlikely(tlv_dlen != sizeof(*qchan))) { if (unlikely(tlv_dlen != sizeof(*qchan))) {
pr_err("invalid channel TLV len %zu\n", pr_err("invalid channel TLV len %zu\n",
tlv_len); tlv_dlen);
goto error_ret; goto error_ret;
} }
@ -1538,13 +1516,10 @@ qtnf_cmd_resp_fill_band_info(struct ieee80211_supported_band *band,
pr_warn("unknown TLV type: %#x\n", tlv_type); pr_warn("unknown TLV type: %#x\n", tlv_type);
break; break;
} }
payload_len -= tlv_len;
tlv = (struct qlink_tlv_hdr *)(tlv->val + tlv_dlen);
} }
if (payload_len) { if (!qlink_tlv_parsing_ok(tlv, resp->info, payload_len)) {
pr_err("malformed TLV buf; bytes left: %zu\n", payload_len); pr_err("Malformed TLV buffer\n");
goto error_ret; goto error_ret;
} }
@ -1689,16 +1664,16 @@ int qtnf_cmd_send_update_phy_params(struct qtnf_wmac *mac, u32 changed)
qtnf_cmd_skb_put_tlv_u32(cmd_skb, QTN_TLV_ID_RTS_THRESH, qtnf_cmd_skb_put_tlv_u32(cmd_skb, QTN_TLV_ID_RTS_THRESH,
wiphy->rts_threshold); wiphy->rts_threshold);
if (changed & WIPHY_PARAM_COVERAGE_CLASS) if (changed & WIPHY_PARAM_COVERAGE_CLASS)
qtnf_cmd_skb_put_tlv_u8(cmd_skb, QTN_TLV_ID_COVERAGE_CLASS, qtnf_cmd_skb_put_tlv_u32(cmd_skb, QTN_TLV_ID_COVERAGE_CLASS,
wiphy->coverage_class); wiphy->coverage_class);
if (changed & WIPHY_PARAM_RETRY_LONG) if (changed & WIPHY_PARAM_RETRY_LONG)
qtnf_cmd_skb_put_tlv_u8(cmd_skb, QTN_TLV_ID_LRETRY_LIMIT, qtnf_cmd_skb_put_tlv_u32(cmd_skb, QTN_TLV_ID_LRETRY_LIMIT,
wiphy->retry_long); wiphy->retry_long);
if (changed & WIPHY_PARAM_RETRY_SHORT) if (changed & WIPHY_PARAM_RETRY_SHORT)
qtnf_cmd_skb_put_tlv_u8(cmd_skb, QTN_TLV_ID_SRETRY_LIMIT, qtnf_cmd_skb_put_tlv_u32(cmd_skb, QTN_TLV_ID_SRETRY_LIMIT,
wiphy->retry_short); wiphy->retry_short);
ret = qtnf_cmd_send(mac->bus, cmd_skb); ret = qtnf_cmd_send(mac->bus, cmd_skb);
if (ret) if (ret)
@ -2054,13 +2029,13 @@ static void qtnf_cmd_scan_set_dwell(struct qtnf_wmac *mac,
scan_req->duration_mandatory ? "mandatory" : "max", scan_req->duration_mandatory ? "mandatory" : "max",
dwell_active, dwell_passive, duration); dwell_active, dwell_passive, duration);
qtnf_cmd_skb_put_tlv_u16(cmd_skb, qtnf_cmd_skb_put_tlv_u32(cmd_skb,
QTN_TLV_ID_SCAN_DWELL_ACTIVE, QTN_TLV_ID_SCAN_DWELL_ACTIVE,
dwell_active); dwell_active);
qtnf_cmd_skb_put_tlv_u16(cmd_skb, qtnf_cmd_skb_put_tlv_u32(cmd_skb,
QTN_TLV_ID_SCAN_DWELL_PASSIVE, QTN_TLV_ID_SCAN_DWELL_PASSIVE,
dwell_passive); dwell_passive);
qtnf_cmd_skb_put_tlv_u16(cmd_skb, qtnf_cmd_skb_put_tlv_u32(cmd_skb,
QTN_TLV_ID_SCAN_SAMPLE_DURATION, QTN_TLV_ID_SCAN_SAMPLE_DURATION,
duration); duration);
} }
@ -2416,25 +2391,15 @@ qtnf_cmd_resp_proc_chan_stat_info(struct survey_info *survey,
{ {
const struct qlink_chan_stats *stats = NULL; const struct qlink_chan_stats *stats = NULL;
const struct qlink_tlv_hdr *tlv; const struct qlink_tlv_hdr *tlv;
size_t tlv_full_len;
u16 tlv_value_len; u16 tlv_value_len;
u16 tlv_type; u16 tlv_type;
const u8 *map = NULL; const u8 *map = NULL;
unsigned int map_len = 0; unsigned int map_len = 0;
unsigned int stats_len = 0; unsigned int stats_len = 0;
tlv = (struct qlink_tlv_hdr *)payload; qlink_for_each_tlv(tlv, payload, payload_len) {
while (payload_len >= sizeof(*tlv)) {
tlv_type = le16_to_cpu(tlv->type); tlv_type = le16_to_cpu(tlv->type);
tlv_value_len = le16_to_cpu(tlv->len); tlv_value_len = le16_to_cpu(tlv->len);
tlv_full_len = tlv_value_len + sizeof(*tlv);
if (tlv_full_len > payload_len) {
pr_warn("malformed TLV 0x%.2X; LEN: %u\n",
tlv_type, tlv_value_len);
return -ENOSPC;
}
switch (tlv_type) { switch (tlv_type) {
case QTN_TLV_ID_BITMAP: case QTN_TLV_ID_BITMAP:
@ -2449,13 +2414,10 @@ qtnf_cmd_resp_proc_chan_stat_info(struct survey_info *survey,
pr_info("Unknown TLV type: %#x\n", tlv_type); pr_info("Unknown TLV type: %#x\n", tlv_type);
break; break;
} }
payload_len -= tlv_full_len;
tlv = (struct qlink_tlv_hdr *)(tlv->val + tlv_value_len);
} }
if (payload_len) { if (!qlink_tlv_parsing_ok(tlv, payload, payload_len)) {
pr_warn("malformed TLV buf; bytes left: %zu\n", payload_len); pr_err("Malformed TLV buffer\n");
return -EINVAL; return -EINVAL;
} }
@ -2657,7 +2619,7 @@ int qtnf_cmd_set_mac_acl(const struct qtnf_vif *vif,
if (!cmd_skb) if (!cmd_skb)
return -ENOMEM; return -ENOMEM;
tlv = skb_put(cmd_skb, sizeof(*tlv) + acl_size); tlv = skb_put(cmd_skb, sizeof(*tlv) + round_up(acl_size, QLINK_ALIGN));
tlv->type = cpu_to_le16(QTN_TLV_ID_ACL_DATA); tlv->type = cpu_to_le16(QTN_TLV_ID_ACL_DATA);
tlv->len = cpu_to_le16(acl_size); tlv->len = cpu_to_le16(acl_size);
qlink_acl_data_cfg2q(params, (struct qlink_acl_data *)tlv->val); qlink_acl_data_cfg2q(params, (struct qlink_acl_data *)tlv->val);

View File

@ -25,7 +25,6 @@ qtnf_event_handle_sta_assoc(struct qtnf_wmac *mac, struct qtnf_vif *vif,
size_t payload_len; size_t payload_len;
u16 tlv_type; u16 tlv_type;
u16 tlv_value_len; u16 tlv_value_len;
size_t tlv_full_len;
const struct qlink_tlv_hdr *tlv; const struct qlink_tlv_hdr *tlv;
int ret = 0; int ret = 0;
@ -58,23 +57,17 @@ qtnf_event_handle_sta_assoc(struct qtnf_wmac *mac, struct qtnf_vif *vif,
sinfo->generation = vif->generation; sinfo->generation = vif->generation;
payload_len = len - sizeof(*sta_assoc); payload_len = len - sizeof(*sta_assoc);
tlv = (const struct qlink_tlv_hdr *)sta_assoc->ies;
while (payload_len >= sizeof(*tlv)) { qlink_for_each_tlv(tlv, sta_assoc->ies, payload_len) {
tlv_type = le16_to_cpu(tlv->type); tlv_type = le16_to_cpu(tlv->type);
tlv_value_len = le16_to_cpu(tlv->len); tlv_value_len = le16_to_cpu(tlv->len);
tlv_full_len = tlv_value_len + sizeof(struct qlink_tlv_hdr);
if (tlv_full_len > payload_len) {
ret = -EINVAL;
goto out;
}
if (tlv_type == QTN_TLV_ID_IE_SET) { if (tlv_type == QTN_TLV_ID_IE_SET) {
const struct qlink_tlv_ie_set *ie_set; const struct qlink_tlv_ie_set *ie_set;
unsigned int ie_len; unsigned int ie_len;
if (payload_len < sizeof(*ie_set)) { if (tlv_value_len <
(sizeof(*ie_set) - sizeof(ie_set->hdr))) {
ret = -EINVAL; ret = -EINVAL;
goto out; goto out;
} }
@ -88,12 +81,10 @@ qtnf_event_handle_sta_assoc(struct qtnf_wmac *mac, struct qtnf_vif *vif,
sinfo->assoc_req_ies_len = ie_len; sinfo->assoc_req_ies_len = ie_len;
} }
} }
payload_len -= tlv_full_len;
tlv = (struct qlink_tlv_hdr *)(tlv->val + tlv_value_len);
} }
if (payload_len) { if (!qlink_tlv_parsing_ok(tlv, sta_assoc->ies, payload_len)) {
pr_err("Malformed TLV buffer\n");
ret = -EINVAL; ret = -EINVAL;
goto out; goto out;
} }
@ -153,7 +144,6 @@ qtnf_event_handle_bss_join(struct qtnf_vif *vif,
size_t payload_len; size_t payload_len;
u16 tlv_type; u16 tlv_type;
u16 tlv_value_len; u16 tlv_value_len;
size_t tlv_full_len;
const struct qlink_tlv_hdr *tlv; const struct qlink_tlv_hdr *tlv;
const u8 *rsp_ies = NULL; const u8 *rsp_ies = NULL;
size_t rsp_ies_len = 0; size_t rsp_ies_len = 0;
@ -235,24 +225,17 @@ qtnf_event_handle_bss_join(struct qtnf_vif *vif,
} }
payload_len = len - sizeof(*join_info); payload_len = len - sizeof(*join_info);
tlv = (struct qlink_tlv_hdr *)join_info->ies;
while (payload_len >= sizeof(struct qlink_tlv_hdr)) { qlink_for_each_tlv(tlv, join_info->ies, payload_len) {
tlv_type = le16_to_cpu(tlv->type); tlv_type = le16_to_cpu(tlv->type);
tlv_value_len = le16_to_cpu(tlv->len); tlv_value_len = le16_to_cpu(tlv->len);
tlv_full_len = tlv_value_len + sizeof(struct qlink_tlv_hdr);
if (payload_len < tlv_full_len) {
pr_warn("invalid %u TLV\n", tlv_type);
status = WLAN_STATUS_UNSPECIFIED_FAILURE;
goto done;
}
if (tlv_type == QTN_TLV_ID_IE_SET) { if (tlv_type == QTN_TLV_ID_IE_SET) {
const struct qlink_tlv_ie_set *ie_set; const struct qlink_tlv_ie_set *ie_set;
unsigned int ie_len; unsigned int ie_len;
if (payload_len < sizeof(*ie_set)) { if (tlv_value_len <
(sizeof(*ie_set) - sizeof(ie_set->hdr))) {
pr_warn("invalid IE_SET TLV\n"); pr_warn("invalid IE_SET TLV\n");
status = WLAN_STATUS_UNSPECIFIED_FAILURE; status = WLAN_STATUS_UNSPECIFIED_FAILURE;
goto done; goto done;
@ -275,15 +258,10 @@ qtnf_event_handle_bss_join(struct qtnf_vif *vif,
break; break;
} }
} }
payload_len -= tlv_full_len;
tlv = (struct qlink_tlv_hdr *)(tlv->val + tlv_value_len);
} }
if (payload_len) if (!qlink_tlv_parsing_ok(tlv, join_info->ies, payload_len))
pr_warn("VIF%u.%u: unexpected remaining payload: %zu\n", pr_warn("Malformed TLV buffer\n");
vif->mac->macid, vif->vifid, payload_len);
done: done:
cfg80211_connect_result(vif->netdev, join_info->bssid, NULL, 0, rsp_ies, cfg80211_connect_result(vif->netdev, join_info->bssid, NULL, 0, rsp_ies,
rsp_ies_len, status, GFP_KERNEL); rsp_ies_len, status, GFP_KERNEL);
@ -368,7 +346,6 @@ qtnf_event_handle_scan_results(struct qtnf_vif *vif,
size_t payload_len; size_t payload_len;
u16 tlv_type; u16 tlv_type;
u16 tlv_value_len; u16 tlv_value_len;
size_t tlv_full_len;
const struct qlink_tlv_hdr *tlv; const struct qlink_tlv_hdr *tlv;
const u8 *ies = NULL; const u8 *ies = NULL;
size_t ies_len = 0; size_t ies_len = 0;
@ -387,21 +364,17 @@ qtnf_event_handle_scan_results(struct qtnf_vif *vif,
} }
payload_len = len - sizeof(*sr); payload_len = len - sizeof(*sr);
tlv = (struct qlink_tlv_hdr *)sr->payload;
while (payload_len >= sizeof(struct qlink_tlv_hdr)) { qlink_for_each_tlv(tlv, sr->payload, payload_len) {
tlv_type = le16_to_cpu(tlv->type); tlv_type = le16_to_cpu(tlv->type);
tlv_value_len = le16_to_cpu(tlv->len); tlv_value_len = le16_to_cpu(tlv->len);
tlv_full_len = tlv_value_len + sizeof(struct qlink_tlv_hdr);
if (tlv_full_len > payload_len)
return -EINVAL;
if (tlv_type == QTN_TLV_ID_IE_SET) { if (tlv_type == QTN_TLV_ID_IE_SET) {
const struct qlink_tlv_ie_set *ie_set; const struct qlink_tlv_ie_set *ie_set;
unsigned int ie_len; unsigned int ie_len;
if (payload_len < sizeof(*ie_set)) if (tlv_value_len <
(sizeof(*ie_set) - sizeof(ie_set->hdr)))
return -EINVAL; return -EINVAL;
ie_set = (const struct qlink_tlv_ie_set *)tlv; ie_set = (const struct qlink_tlv_ie_set *)tlv;
@ -424,12 +397,9 @@ qtnf_event_handle_scan_results(struct qtnf_vif *vif,
ies_len = ie_len; ies_len = ie_len;
} }
} }
payload_len -= tlv_full_len;
tlv = (struct qlink_tlv_hdr *)(tlv->val + tlv_value_len);
} }
if (payload_len) if (!qlink_tlv_parsing_ok(tlv, sr->payload, payload_len))
return -EINVAL; return -EINVAL;
bss = cfg80211_inform_bss(wiphy, channel, frame_type, bss = cfg80211_inform_bss(wiphy, channel, frame_type,

View File

@ -19,6 +19,8 @@
#define QLINK_PROTO_VER \ #define QLINK_PROTO_VER \
QLINK_VER(QLINK_PROTO_VER_MAJOR, QLINK_PROTO_VER_MINOR) QLINK_VER(QLINK_PROTO_VER_MAJOR, QLINK_PROTO_VER_MINOR)
#define QLINK_ALIGN 4
#define QLINK_MACID_RSVD 0xFF #define QLINK_MACID_RSVD 0xFF
#define QLINK_VIFID_RSVD 0xFF #define QLINK_VIFID_RSVD 0xFF
@ -184,7 +186,7 @@ struct qlink_chandef {
__le16 center_freq1; __le16 center_freq1;
__le16 center_freq2; __le16 center_freq2;
u8 width; u8 width;
u8 rsvd; u8 rsvd[3];
} __packed; } __packed;
#define QLINK_MAX_NR_CIPHER_SUITES 5 #define QLINK_MAX_NR_CIPHER_SUITES 5
@ -340,9 +342,9 @@ struct qlink_cmd {
struct qlink_msg_header mhdr; struct qlink_msg_header mhdr;
__le16 cmd_id; __le16 cmd_id;
__le16 seq_num; __le16 seq_num;
u8 rsvd[2];
u8 macid; u8 macid;
u8 vifid; u8 vifid;
u8 rsvd[2];
} __packed; } __packed;
/** /**
@ -404,6 +406,7 @@ struct qlink_cmd_mgmt_frame_register {
struct qlink_cmd chdr; struct qlink_cmd chdr;
__le16 frame_type; __le16 frame_type;
u8 do_register; u8 do_register;
u8 rsvd[1];
} __packed; } __packed;
/** /**
@ -441,6 +444,7 @@ struct qlink_cmd_frame_tx {
struct qlink_cmd_get_sta_info { struct qlink_cmd_get_sta_info {
struct qlink_cmd chdr; struct qlink_cmd chdr;
u8 sta_addr[ETH_ALEN]; u8 sta_addr[ETH_ALEN];
u8 rsvd[2];
} __packed; } __packed;
/** /**
@ -460,6 +464,7 @@ struct qlink_cmd_add_key {
u8 addr[ETH_ALEN]; u8 addr[ETH_ALEN];
__le32 cipher; __le32 cipher;
__le16 vlanid; __le16 vlanid;
u8 rsvd[2];
u8 key_data[0]; u8 key_data[0];
} __packed; } __packed;
@ -489,6 +494,7 @@ struct qlink_cmd_set_def_key {
u8 key_index; u8 key_index;
u8 unicast; u8 unicast;
u8 multicast; u8 multicast;
u8 rsvd[1];
} __packed; } __packed;
/** /**
@ -499,6 +505,7 @@ struct qlink_cmd_set_def_key {
struct qlink_cmd_set_def_mgmt_key { struct qlink_cmd_set_def_mgmt_key {
struct qlink_cmd chdr; struct qlink_cmd chdr;
u8 key_index; u8 key_index;
u8 rsvd[3];
} __packed; } __packed;
/** /**
@ -515,6 +522,7 @@ struct qlink_cmd_change_sta {
__le16 if_type; __le16 if_type;
__le16 vlanid; __le16 vlanid;
u8 sta_addr[ETH_ALEN]; u8 sta_addr[ETH_ALEN];
u8 rsvd[2];
} __packed; } __packed;
/** /**
@ -525,8 +533,9 @@ struct qlink_cmd_change_sta {
struct qlink_cmd_del_sta { struct qlink_cmd_del_sta {
struct qlink_cmd chdr; struct qlink_cmd chdr;
__le16 reason_code; __le16 reason_code;
u8 subtype;
u8 sta_addr[ETH_ALEN]; u8 sta_addr[ETH_ALEN];
u8 subtype;
u8 rsvd[3];
} __packed; } __packed;
enum qlink_sta_connect_flags { enum qlink_sta_connect_flags {
@ -593,6 +602,7 @@ struct qlink_cmd_external_auth {
struct qlink_cmd_disconnect { struct qlink_cmd_disconnect {
struct qlink_cmd chdr; struct qlink_cmd chdr;
__le16 reason; __le16 reason;
u8 rsvd[2];
} __packed; } __packed;
/** /**
@ -604,6 +614,7 @@ struct qlink_cmd_disconnect {
struct qlink_cmd_updown { struct qlink_cmd_updown {
struct qlink_cmd chdr; struct qlink_cmd chdr;
u8 if_up; u8 if_up;
u8 rsvd[3];
} __packed; } __packed;
/** /**
@ -627,6 +638,7 @@ enum qlink_band {
struct qlink_cmd_band_info_get { struct qlink_cmd_band_info_get {
struct qlink_cmd chdr; struct qlink_cmd chdr;
u8 band; u8 band;
u8 rsvd[3];
} __packed; } __packed;
/** /**
@ -702,6 +714,7 @@ struct qlink_cmd_chan_switch {
u8 radar_required; u8 radar_required;
u8 block_tx; u8 block_tx;
u8 beacon_count; u8 beacon_count;
u8 rsvd[3];
} __packed; } __packed;
/** /**
@ -805,6 +818,7 @@ struct qlink_cmd_pm_set {
struct qlink_cmd chdr; struct qlink_cmd chdr;
__le32 pm_standby_timer; __le32 pm_standby_timer;
u8 pm_mode; u8 pm_mode;
u8 rsvd[3];
} __packed; } __packed;
/** /**
@ -1225,6 +1239,7 @@ struct qlink_event_bss_join {
struct qlink_event_bss_leave { struct qlink_event_bss_leave {
struct qlink_event ehdr; struct qlink_event ehdr;
__le16 reason; __le16 reason;
u8 rsvd[2];
} __packed; } __packed;
/** /**
@ -1341,10 +1356,10 @@ struct qlink_event_radar {
*/ */
struct qlink_event_external_auth { struct qlink_event_external_auth {
struct qlink_event ehdr; struct qlink_event ehdr;
u8 ssid[IEEE80211_MAX_SSID_LEN];
u8 ssid_len;
u8 bssid[ETH_ALEN];
__le32 akm_suite; __le32 akm_suite;
u8 ssid[IEEE80211_MAX_SSID_LEN];
u8 bssid[ETH_ALEN];
u8 ssid_len;
u8 action; u8 action;
} __packed; } __packed;
@ -1560,6 +1575,7 @@ struct qlink_tlv_ie_set {
struct qlink_tlv_hdr hdr; struct qlink_tlv_hdr hdr;
u8 type; u8 type;
u8 flags; u8 flags;
u8 rsvd[2];
u8 ie_data[0]; u8 ie_data[0];
} __packed; } __packed;
@ -1572,6 +1588,7 @@ struct qlink_tlv_ie_set {
struct qlink_tlv_ext_ie { struct qlink_tlv_ext_ie {
struct qlink_tlv_hdr hdr; struct qlink_tlv_hdr hdr;
u8 eid_ext; u8 eid_ext;
u8 rsvd[3];
u8 ie_data[0]; u8 ie_data[0];
} __packed; } __packed;

View File

@ -20,8 +20,9 @@ static inline void qtnf_cmd_skb_put_tlv_arr(struct sk_buff *skb,
u16 tlv_id, const u8 arr[], u16 tlv_id, const u8 arr[],
size_t arr_len) size_t arr_len)
{ {
struct qlink_tlv_hdr *hdr = skb_put(skb, sizeof(*hdr) + arr_len); struct qlink_tlv_hdr *hdr;
hdr = skb_put(skb, sizeof(*hdr) + round_up(arr_len, QLINK_ALIGN));
hdr->type = cpu_to_le16(tlv_id); hdr->type = cpu_to_le16(tlv_id);
hdr->len = cpu_to_le16(arr_len); hdr->len = cpu_to_le16(arr_len);
memcpy(hdr->val, arr, arr_len); memcpy(hdr->val, arr, arr_len);
@ -35,27 +36,6 @@ static inline void qtnf_cmd_skb_put_tlv_tag(struct sk_buff *skb, u16 tlv_id)
hdr->len = cpu_to_le16(0); hdr->len = cpu_to_le16(0);
} }
static inline void qtnf_cmd_skb_put_tlv_u8(struct sk_buff *skb, u16 tlv_id,
u8 value)
{
struct qlink_tlv_hdr *hdr = skb_put(skb, sizeof(*hdr) + sizeof(value));
hdr->type = cpu_to_le16(tlv_id);
hdr->len = cpu_to_le16(sizeof(value));
*hdr->val = value;
}
static inline void qtnf_cmd_skb_put_tlv_u16(struct sk_buff *skb,
u16 tlv_id, u16 value)
{
struct qlink_tlv_hdr *hdr = skb_put(skb, sizeof(*hdr) + sizeof(value));
__le16 tmp = cpu_to_le16(value);
hdr->type = cpu_to_le16(tlv_id);
hdr->len = cpu_to_le16(sizeof(value));
memcpy(hdr->val, &tmp, sizeof(tmp));
}
static inline void qtnf_cmd_skb_put_tlv_u32(struct sk_buff *skb, static inline void qtnf_cmd_skb_put_tlv_u32(struct sk_buff *skb,
u16 tlv_id, u32 value) u16 tlv_id, u32 value)
{ {
@ -85,4 +65,17 @@ u32 qlink_utils_chflags_cfg2q(u32 cfgflags);
void qlink_utils_regrule_q2nl(struct ieee80211_reg_rule *rule, void qlink_utils_regrule_q2nl(struct ieee80211_reg_rule *rule,
const struct qlink_tlv_reg_rule *tlv_rule); const struct qlink_tlv_reg_rule *tlv_rule);
#define qlink_for_each_tlv(_tlv, _start, _datalen) \
for (_tlv = (const struct qlink_tlv_hdr *)(_start); \
(const u8 *)(_start) + (_datalen) - (const u8 *)_tlv >= \
(int)sizeof(*_tlv) && \
(const u8 *)(_start) + (_datalen) - (const u8 *)_tlv >= \
(int)sizeof(*_tlv) + le16_to_cpu(_tlv->len); \
_tlv = (const struct qlink_tlv_hdr *)(_tlv->val + \
round_up(le16_to_cpu(_tlv->len), QLINK_ALIGN)))
#define qlink_tlv_parsing_ok(_tlv_last, _start, _datalen) \
((const u8 *)(_tlv_last) == \
(const u8 *)(_start) + round_up(_datalen, QLINK_ALIGN))
#endif /* _QTN_FMAC_QLINK_UTIL_H_ */ #endif /* _QTN_FMAC_QLINK_UTIL_H_ */