From 573b2f4e6e8a00b2c5c99892d3a4819e1eb1d71a Mon Sep 17 00:00:00 2001 From: Larry Finger Date: Fri, 30 Jun 2023 11:28:23 -0500 Subject: [PATCH] rtl8188eu: Address warning in createbss_hdl() The code issues a warning as follows: [ 817.111258] WARNING: CPU: 5 PID: 772 at createbss_hdl+0x120/0x148 [8188eu] [ 817.111502] Modules linked in: 8188eu(O) cfg80211 lib80211 [last unloaded: 8188eu] [ 817.111520] CPU: 5 PID: 772 Comm: RTW_CMD_THREAD Tainted: G WC O 5.10.145-rt74+g1594b25154a2 #1 [ 817.111527] Hardware name: NXP S32G399A-RDB3 (DT) [ 817.111531] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO BTYPE=--) [ 817.111537] pc : createbss_hdl+0x120/0x148 [8188eu] [ 817.111672] lr : rtw_cmd_thread+0x454/0x548 [8188eu] [ 817.111806] sp : ffffffc013db3da0 [ 817.111808] x29: ffffffc013db3da0 x28: ffffffc0089c9168 [ 817.111815] x27: ffffffc008909f74 x26: 0000000000001400 [ 817.111821] x25: ffffffc0089c90f8 x24: ffffffc011010320 [ 817.111827] x23: ffffffc011010400 x22: 000000010001f8f3 [ 817.111833] x21: ffffffc011010350 x20: ffffffc01100f000 [ 817.111839] x19: ffffffc01100f000 x18: 0000000000000000 [ 817.111845] x17: 0000000000000001 x16: 0000000000000000 [ 817.111851] x15: 001fffffffffffff x14: 00000000001d7000 [ 817.111857] x13: 0000000000000370 x12: 0000000000000000 [ 817.111863] x11: 0000000000000370 x10: 00000000000008e0 [ 817.111868] x9 : ffffffc013db3960 x8 : ffffff880230eb00 [ 817.111874] x7 : 0000000000000001 x6 : ffffff8804ea9206 [ 817.111880] x5 : 0000800020000000 x4 : 0000000000000000 [ 817.111886] x3 : 000000000000ffff x2 : 0000000000000006 [ 817.111893] x1 : ffffff8804ea9200 x0 : 0000000000000000 [ 817.111900] Call trace: [ 817.111903] createbss_hdl+0x120/0x148 [8188eu] [ 817.112037] rtw_cmd_thread+0x454/0x548 [8188eu] [ 817.112170] kthread+0x178/0x180 [ 817.112184] ret_from_fork+0x10/0x30 [ 817.112193] ---[ end trace 00f853683c01e7a3 ]--- My investigation shows that the test for an invalid length was placed after the memcpy() call that generates this warning. The fix is to move the test above the memcpy, and to increase the maximum size of the IE buffer. Signed-off-by: Larry Finger --- rtw_mlme_ext.c | 8 ++++---- wlan_bssdef.h | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/rtw_mlme_ext.c b/rtw_mlme_ext.c index 31a2f16..a451765 100755 --- a/rtw_mlme_ext.c +++ b/rtw_mlme_ext.c @@ -12891,15 +12891,15 @@ u8 createbss_hdl(_adapter *padapter, u8 *pbuf) /* clear CAM */ flush_all_cam_entry(padapter); - pdev_network->Length = get_WLAN_BSSID_EX_sz(pdev_network); - memcpy(pnetwork, pdev_network, FIELD_OFFSET(WLAN_BSSID_EX, IELength)); - pnetwork->IELength = pdev_network->IELength; - if (pnetwork->IELength > MAX_IE_SZ) { ret = H2C_PARAMETERS_ERROR; goto ibss_post_hdl; } + pdev_network->Length = get_WLAN_BSSID_EX_sz(pdev_network); + memcpy(pnetwork, pdev_network, pdev_network->IELength); + pnetwork->IELength = pdev_network->IELength; + memcpy(pnetwork->IEs, pdev_network->IEs, pnetwork->IELength); start_create_ibss(padapter); } else { diff --git a/wlan_bssdef.h b/wlan_bssdef.h index 293de03..3730ffa 100644 --- a/wlan_bssdef.h +++ b/wlan_bssdef.h @@ -5,7 +5,7 @@ #define __WLAN_BSSDEF_H__ -#define MAX_IE_SZ 768 +#define MAX_IE_SZ 1024 #define NDIS_802_11_LENGTH_SSID 32 #define NDIS_802_11_LENGTH_RATES 8