• Daniel C Halperin's avatar
    iwlwifi: fix erroneous use of iwl_rx_packet.len as a length · 396887a2
    Daniel C Halperin authored
    
    
    The field called 'len' in struct iwl_rx_packet is in fact not just a length
    field but also includes some flags from the flow handler.  In several places
    throughout the driver, this causes incorrect values to be interpreted as
    lengths when the field is improperly masked.
    
    In most situations the improper use is for debugging output, and simply results
    in an erroneous message, such as:
    
    [551933.070224] ieee80211 phy0: I iwl_rx_statistics Statistics notification received (480 vs -1367342620).
    
    which should read '(480 vs 484)'.
    
    In at least one case this could case bad things to happen:
    
    void iwl_rx_pm_debug_statistics_notif(struct iwl_priv *priv,
                                          struct iwl_rx_mem_buffer *rxb)
    {
            struct iwl_rx_packet *pkt = (struct iwl_rx_packet *)rxb->skb->data;
            IWL_DEBUG_RADIO(priv, "Dumping %d bytes of unhandled "
                            "notification for %s:\n",
                            le32_to_cpu(pkt->len), get_cmd_string(pkt->hdr.cmd));
            iwl_print_hex_dump(priv, IWL_DL_RADIO, pkt->u.raw, le32_to_cpu(pkt->len)
    );
    }
    EXPORT_SYMBOL(iwl_rx_pm_debug_statistics_notif);
    
    Given the rampant misuse of this field without proper masking throughout the
    driver (every use but one), this patch renames the field from 'len' to
    'len_n_flags' to reduce confusion.  It also adds the proper masking when
    this field is used as a length value.
    Signed-off-by: default avatarDaniel C Halperin <daniel.c.halperin@intel.com>
    Signed-off-by: default avatarReinette Chatre <reinette.chatre@intel.com>
    Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
    396887a2
iwl-core.c 89.9 KB