From nobody@FreeBSD.org  Thu Dec 30 14:12:08 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7962A106566B
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 30 Dec 2010 14:12:08 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (unknown [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 68F1D8FC08
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 30 Dec 2010 14:12:08 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id oBUEC8v7094496
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 30 Dec 2010 14:12:08 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id oBUEC8AI094495;
	Thu, 30 Dec 2010 14:12:08 GMT
	(envelope-from nobody)
Message-Id: <201012301412.oBUEC8AI094495@red.freebsd.org>
Date: Thu, 30 Dec 2010 14:12:08 GMT
From: Erik Fonnesbeck <efonnes@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [patch] [mwl] Fix for incorrect limit on number of virtual access points
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         153549
>Category:       kern
>Synopsis:       [patch] [mwl] Fix for incorrect limit on number of virtual access points
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bschmidt
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Dec 30 14:20:10 UTC 2010
>Closed-Date:    Fri Dec 31 09:52:57 UTC 2010
>Last-Modified:  Fri Dec 31 10:00:22 UTC 2010
>Originator:     Erik Fonnesbeck
>Release:        all versions are affected
>Organization:
>Environment:
not applicable
>Description:
mwl's source code says it should only allow 8 virtual access points, but a bug in the initialization code makes it allow 16.
>How-To-Repeat:
Attempt to create more than 8 virtual access points and it allows it.
>Fix:
During initialization there is an incorrect condition on a for loop that does initialization for stations, leaving 8 of them uninitialized and causing the driver to think those 8 entries are for access points.  Patch enclosed.

Patch attached with submission follows:

--- /usr/src/sys/dev/mwl/mwlhal.c.old	2010-06-23 14:50:59.000000000 -0600
+++ /usr/src/sys/dev/mwl/mwlhal.c	2010-12-30 03:53:57.000000000 -0700
@@ -279,7 +279,7 @@
 	hvap->vap_type = MWL_HAL_STA;
 	hvap->bss_type = htole16(WL_MAC_TYPE_PRIMARY_CLIENT);
 	hvap->macid = i;
-	for (i++; i < MWL_MBSS_STA_MAX; i++) {
+	for (i++; i < MWL_MBSS_AP_MAX+MWL_MBSS_STA_MAX; i++) {
 		hvap = &mh->mh_vaps[i];
 		hvap->vap_type = MWL_HAL_STA;
 		hvap->bss_type = htole16(WL_MAC_TYPE_SECONDARY_CLIENT);


>Release-Note:
>Audit-Trail:

From: Erik Fonnesbeck <efonnes@gmail.com>
To: bug-followup@FreeBSD.org, efonnes@gmail.com
Cc:  
Subject: Re: kern/153549: [patch] [mwl] Fix for incorrect limit on number of
 virtual access points
Date: Thu, 30 Dec 2010 07:48:49 -0700

 I meant to say all versions that have the driver are affected (8 to
 current).=A0 The specific file affected was last modified sometime
 before 8's release.
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Thu Dec 30 22:17:48 UTC 2010 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=153549 
State-Changed-From-To: open->closed 
State-Changed-By: bschmidt 
State-Changed-When: Fri Dec 31 09:51:32 UTC 2010 
State-Changed-Why:  
Good catch, thanks! I allowed myself to change the condition to the predefined MWL_MBSS_MAX constant. 


Responsible-Changed-From-To: freebsd-net->bschmidt 
Responsible-Changed-By: bschmidt 
Responsible-Changed-When: Fri Dec 31 09:51:32 UTC 2010 
Responsible-Changed-Why:  
over to me 

http://www.freebsd.org/cgi/query-pr.cgi?pr=153549 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/153549: commit references a PR
Date: Fri, 31 Dec 2010 09:50:22 +0000 (UTC)

 Author: bschmidt
 Date: Fri Dec 31 09:50:15 2010
 New Revision: 216835
 URL: http://svn.freebsd.org/changeset/base/216835
 
 Log:
   The mwl's HAL manages an array of MWL_MBSS_MAX VAPs where the first 8 are
   supposed to be APs and the later 24 are pre-configured as STAs. A wrong
   condition during initialization is responsible for not configuring the last
   8 array members. This is results in being able to create more than 8,
   possible uninitialized, AP-VAPs.
   
   PR:		kern/153549
   Submitted by:	Erik Fonnesbeck <efonnes at gmail.com>
   MFC after:	2 weeks
 
 Modified:
   head/sys/dev/mwl/mwlhal.c
 
 Modified: head/sys/dev/mwl/mwlhal.c
 ==============================================================================
 --- head/sys/dev/mwl/mwlhal.c	Fri Dec 31 02:19:38 2010	(r216834)
 +++ head/sys/dev/mwl/mwlhal.c	Fri Dec 31 09:50:15 2010	(r216835)
 @@ -279,7 +279,7 @@ mwl_hal_attach(device_t dev, uint16_t de
  	hvap->vap_type = MWL_HAL_STA;
  	hvap->bss_type = htole16(WL_MAC_TYPE_PRIMARY_CLIENT);
  	hvap->macid = i;
 -	for (i++; i < MWL_MBSS_STA_MAX; i++) {
 +	for (i++; i < MWL_MBSS_MAX; i++) {
  		hvap = &mh->mh_vaps[i];
  		hvap->vap_type = MWL_HAL_STA;
  		hvap->bss_type = htole16(WL_MAC_TYPE_SECONDARY_CLIENT);
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
