Re: [PATCH 21/27] qtnfmac: extend "IE set" TLV to include frame type info

[PATCH 00/27] qtnfmac: allow to configure channel, BW, HT/VHT caps · <hidden> · 2017-08-25
[PATCH 01/27] qtnfmac: qlink: convert channel width from bitfiled to simple enum · <hidden> · 2017-08-25
[PATCH 03/27] qtnfmac: retreive current channel info from EP · <hidden> · 2017-08-25
Re: [PATCH 03/27] qtnfmac: retreive current channel info from EP · Sergey Matyukevich <hidden> · 2017-08-29
Re: [PATCH 03/27] qtnfmac: retreive current channel info from EP · Igor Mitsyanko <hidden> · 2017-08-30
[PATCH 02/27] qtnfmac: make "Channel change" event report full channel info · <hidden> · 2017-08-25
Re: [PATCH 02/27] qtnfmac: make "Channel change" event report full channel info · Sergey Matyukevich <hidden> · 2017-08-29
Re: [PATCH 02/27] qtnfmac: make "Channel change" event report full channel info · Igor Mitsyanko <hidden> · 2017-08-30
[PATCH 04/27] qtnfmac: do not cache AP settings in driver structures · <hidden> · 2017-08-25
[PATCH 05/27] qtnfmac: pass all AP settings to wireless card for processing · <hidden> · 2017-08-25
[PATCH 06/27] qtnfmac: pass full channel definition to device on start_ap command · <hidden> · 2017-08-25
Re: [PATCH 06/27] qtnfmac: pass full channel definition to device on start_ap command · Sergey Matyukevich <hidden> · 2017-08-30
[PATCH 07/27] qtnfmac: get rid of QTNF_STATE_AP_CONFIG · <hidden> · 2017-08-25
[PATCH 08/27] qtnfmac: get rid of QTNF_STATE_AP_START usage · <hidden> · 2017-08-25
[PATCH 09/27] qtnfmac: do not cache BSS state in per-VIF structure · <hidden> · 2017-08-25
[PATCH 10/27] qtnfmac: do not cache channel info from "connect" command · <hidden> · 2017-08-25
[PATCH 11/27] qtnfmac: make encryption info a part of "connect" command. · <hidden> · 2017-08-25
[PATCH 12/27] qtnfmac: let wifi card handle channel switch request to the same chan · <hidden> · 2017-08-25
[PATCH 13/27] qtnfmac: pass VIF info to SendChannel command · <hidden> · 2017-08-25
[PATCH 14/27] qtnfmac: do not cache CSA chandef info · <hidden> · 2017-08-25
Re: [PATCH 14/27] qtnfmac: do not cache CSA chandef info · Sergey Matyukevich <hidden> · 2017-08-29
Re: [PATCH 14/27] qtnfmac: do not cache CSA chandef info · Igor Mitsyanko <hidden> · 2017-08-30
Re: [PATCH 14/27] qtnfmac: do not cache CSA chandef info · Sergey Matyukevich <hidden> · 2017-08-30
[PATCH 15/27] qtnfmac: remove unused mac::status field · <hidden> · 2017-08-25
Re: [PATCH 15/27] qtnfmac: remove unused mac::status field · Sergey Matyukevich <hidden> · 2017-08-29
[PATCH 16/27] qtnfmac: stop using private driver info about current channel · <hidden> · 2017-08-25
[PATCH 17/27] qtnfmac: do not report channel changes until wiphy is registered · <hidden> · 2017-08-25
[PATCH 18/27] qtnfmac: use per-band HT/VHT info from wireless device · <hidden> · 2017-08-25
[PATCH 19/27] qtnfmac: initialize HT/VHT caps "can override" masks · <hidden> · 2017-08-25
[PATCH 20/27] qtnfmac: get rid of PHYMODE capabilities flags · <hidden> · 2017-08-25
[PATCH 21/27] qtnfmac: extend "IE set" TLV to include frame type info · <hidden> · 2017-08-25
Re: [PATCH 21/27] qtnfmac: extend "IE set" TLV to include frame type info · Sergey Matyukevich <hidden> · 2017-08-30
Re: [PATCH 21/27] qtnfmac: extend "IE set" TLV to include frame type info · Sergey Matyukevich <hidden> · 2017-08-30
[PATCH 22/27] qtnfmac: SCAN results: retreive frame type information from "IE set" TLV · <hidden> · 2017-08-25
[PATCH 23/27] qtnfmac: convert "Append IEs" command to QTN_TLV_ID_IE_SET usage · <hidden> · 2017-08-25
Re: [PATCH 23/27] qtnfmac: convert "Append IEs" command to QTN_TLV_ID_IE_SET usage · Sergey Matyukevich <hidden> · 2017-08-30
[PATCH 24/27] qtnfmac: configure and start AP interface with a single command · <hidden> · 2017-08-25
Re: [PATCH 24/27] qtnfmac: configure and start AP interface with a single command · Sergey Matyukevich <hidden> · 2017-08-30
[PATCH 25/27] nl80211: look for HT/VHT capabilities in beacon's tail · <hidden> · 2017-08-25
[PATCH 26/27] qtnfmac: include HTCAP and VHTCAP into config AP command · <hidden> · 2017-08-25
[PATCH 27/27] qtnfmac: pass all CONNECT cmd params to wireless card for processing · <hidden> · 2017-08-25
Re: [PATCH 00/27] qtnfmac: allow to configure channel, BW, HT/VHT caps · Kalle Valo <hidden> · 2017-08-30
Re: [PATCH 00/27] qtnfmac: allow to configure channel, BW, HT/VHT caps · Kalle Valo <hidden> · 2017-08-30
Re: [PATCH 00/27] qtnfmac: allow to configure channel, BW, HT/VHT caps · Kalle Valo <hidden> · 2017-08-30
Re: [PATCH 00/27] qtnfmac: allow to configure channel, BW, HT/VHT caps · Igor Mitsyanko <hidden> · 2017-08-30
Re: [PATCH 00/27] qtnfmac: allow to configure channel, BW, HT/VHT caps · Igor Mitsyanko <hidden> · 2017-08-30

From: Sergey Matyukevich <hidden>
Date: 2017-08-30 12:07:32

-		if (tlv_full_len > payload_len) {
-			pr_warn("VIF%u.%u: malformed TLV 0x%.2X; LEN: %u\n",
-				mac->macid, vif->vifid, tlv_type,
-				tlv_value_len);
+		if (tlv_full_len > payload_len)
 			return -EINVAL;
-		}

Why drop this sanity check ?

 		if (tlv_type == QTN_TLV_ID_IE_SET) {
-			sinfo.assoc_req_ies = tlv->val;
-			sinfo.assoc_req_ies_len = tlv_value_len;
+			const struct qlink_tlv_ie_set *ie_set;
+			unsigned int ie_len;
+
+			if (payload_len < sizeof(*ie_set))
+				return -EINVAL;
+
+			ie_set = (const struct qlink_tlv_ie_set *)tlv;
+			ie_len = tlv_value_len -
+				(sizeof(*ie_set) - sizeof(ie_set->hdr));
+
+			if (ie_set->type == QLINK_IE_SET_ASSOC_REQ && ie_len) {
+				sinfo.assoc_req_ies = ie_set->ie_data;
+				sinfo.assoc_req_ies_len = ie_len;
+			}
 		}

Does it make sense to keep QTN_TLV_ID_IE_SET here at all ?
Maybe replace it completely by qlink_tlv_ie_set with
QLINK_IE_SET_ASSOC_REQ type ? Also see the comment below
for the similar snippet in qtnf_event_handle_scan_results.

...

-		if (tlv_full_len > payload_len) {
-			pr_warn("VIF%u.%u: malformed TLV 0x%.2X; LEN: %u\n",
-				vif->mac->macid, vif->vifid, tlv_type,
-				tlv_value_len);
+		if (tlv_full_len > payload_len)
 			return -EINVAL;
-		}

ditto

...

 		if (tlv_type == QTN_TLV_ID_IE_SET) {
-			ies = tlv->val;
-			ies_len = tlv_value_len;
+			const struct qlink_tlv_ie_set *ie_set;
+			unsigned int ie_len;
+
+			if (payload_len < sizeof(*ie_set))
+				return -EINVAL;
+
+			ie_set = (const struct qlink_tlv_ie_set *)tlv;
+			ie_len = tlv_value_len -
+				(sizeof(*ie_set) - sizeof(ie_set->hdr));
+
+			if (ie_len) {
+				ies = ie_set->ie_data;
+				ies_len = ie_len;
+			}
 		}
 	}

Two points here. First, it looks like there is a problem here inherited
from the existing implementation. We go through payload, but in fact we
pass to cfg80211_inform_bss only the last QTN_TLV_ID_IE_SET element.
Second, it looks like QTN_TLV_ID_IE_SET here should be treated in
the same way as in qtnf_event_handle_sta_assoc, to avoid confusion.
In other words, either we use only QTN_TLV_ID_IE_SET in both cases,
or switch to specific qlink_tlv_ie_set elements.

Thoughts ? Comments ?

Regards,
Sergey

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help