From d453399229cefff985391f079066ac5a84955537 Mon Sep 17 00:00:00 2001 From: Hante Meuleman Date: Mon, 6 Jan 2014 12:40:38 +0100 Subject: [PATCH] brcmfmac: Limit control message length from host to device. An control request or set message length is restricted to ETH frame length for the buffer from host to device. This is limitation is imposed by the firmware. Reviewed-by: Arend Van Spriel Signed-off-by: Hante Meuleman Signed-off-by: Arend van Spriel Signed-off-by: John W. Linville --- drivers/net/wireless/brcm80211/brcmfmac/bcdc.c | 10 +++++----- drivers/net/wireless/brcm80211/brcmfmac/dhd.h | 5 +++++ 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/drivers/net/wireless/brcm80211/brcmfmac/bcdc.c b/drivers/net/wireless/brcm80211/brcmfmac/bcdc.c index 12c27d13df7f..c229210d50ba 100644 --- a/drivers/net/wireless/brcm80211/brcmfmac/bcdc.c +++ b/drivers/net/wireless/brcm80211/brcmfmac/bcdc.c @@ -41,9 +41,6 @@ struct brcmf_proto_bcdc_dcmd { __le32 status; /* status code returned from the device */ }; -/* Max valid buffer size that can be sent to the dongle */ -#define BCDC_MAX_MSG_SIZE (ETH_FRAME_LEN+ETH_FCS_LEN) - /* BCDC flag definitions */ #define BCDC_DCMD_ERROR 0x01 /* 1=cmd failed */ #define BCDC_DCMD_SET 0x02 /* 0=get, 1=set cmd */ @@ -133,9 +130,12 @@ brcmf_proto_bcdc_msg(struct brcmf_pub *drvr, int ifidx, uint cmd, void *buf, if (buf) memcpy(bcdc->buf, buf, len); + len += sizeof(*msg); + if (len > BRCMF_TX_IOCTL_MAX_MSG_SIZE) + len = BRCMF_TX_IOCTL_MAX_MSG_SIZE; + /* Send request */ - return brcmf_bus_txctl(drvr->bus_if, (unsigned char *)&bcdc->msg, - len + sizeof(struct brcmf_proto_bcdc_dcmd)); + return brcmf_bus_txctl(drvr->bus_if, (unsigned char *)&bcdc->msg, len); } static int brcmf_proto_bcdc_cmplt(struct brcmf_pub *drvr, u32 id, u32 len) diff --git a/drivers/net/wireless/brcm80211/brcmfmac/dhd.h b/drivers/net/wireless/brcm80211/brcmfmac/dhd.h index e29965744b71..939d6b132922 100644 --- a/drivers/net/wireless/brcm80211/brcmfmac/dhd.h +++ b/drivers/net/wireless/brcm80211/brcmfmac/dhd.h @@ -37,6 +37,11 @@ #define BRCMF_DCMD_MEDLEN 1536 #define BRCMF_DCMD_MAXLEN 8192 +/* IOCTL from host to device are limited in lenght. A device can only handle + * ethernet frame size. This limitation is to be applied by protocol layer. + */ +#define BRCMF_TX_IOCTL_MAX_MSG_SIZE (ETH_FRAME_LEN+ETH_FCS_LEN) + #define BRCMF_AMPDU_RX_REORDER_MAXFLOWS 256 /* Length of firmware version string stored for -- 2.39.5