linux/drivers/net/wireless/orinoco/hw.c
John W. Linville 518ff04fd8 orinoco: correct key bounds check in orinoco_hw_get_tkip_iv
If key is 4 that is an array out of bounds.

Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-08-17 13:38:34 -04:00

585 lines
14 KiB
C

/* Encapsulate basic setting changes and retrieval on Hermes hardware
*
* See copyright notice in main.c
*/
#include <linux/kernel.h>
#include <linux/if_arp.h>
#include <linux/ieee80211.h>
#include <linux/wireless.h>
#include "hermes.h"
#include "hermes_rid.h"
#include "orinoco.h"
#include "hw.h"
/********************************************************************/
/* Data tables */
/********************************************************************/
/* This tables gives the actual meanings of the bitrate IDs returned
* by the firmware. */
static const struct {
int bitrate; /* in 100s of kilobits */
int automatic;
u16 agere_txratectrl;
u16 intersil_txratectrl;
} bitrate_table[] = {
{110, 1, 3, 15}, /* Entry 0 is the default */
{10, 0, 1, 1},
{10, 1, 1, 1},
{20, 0, 2, 2},
{20, 1, 6, 3},
{55, 0, 4, 4},
{55, 1, 7, 7},
{110, 0, 5, 8},
};
#define BITRATE_TABLE_SIZE ARRAY_SIZE(bitrate_table)
int orinoco_get_bitratemode(int bitrate, int automatic)
{
int ratemode = -1;
int i;
if ((bitrate != 10) && (bitrate != 20) &&
(bitrate != 55) && (bitrate != 110))
return ratemode;
for (i = 0; i < BITRATE_TABLE_SIZE; i++) {
if ((bitrate_table[i].bitrate == bitrate) &&
(bitrate_table[i].automatic == automatic)) {
ratemode = i;
break;
}
}
return ratemode;
}
void orinoco_get_ratemode_cfg(int ratemode, int *bitrate, int *automatic)
{
BUG_ON((ratemode < 0) || (ratemode >= BITRATE_TABLE_SIZE));
*bitrate = bitrate_table[ratemode].bitrate * 100000;
*automatic = bitrate_table[ratemode].automatic;
}
/* Get tsc from the firmware */
int orinoco_hw_get_tkip_iv(struct orinoco_private *priv, int key, u8 *tsc)
{
hermes_t *hw = &priv->hw;
int err = 0;
u8 tsc_arr[4][IW_ENCODE_SEQ_MAX_SIZE];
if ((key < 0) || (key >= 4))
return -EINVAL;
err = hermes_read_ltv(hw, USER_BAP, HERMES_RID_CURRENT_TKIP_IV,
sizeof(tsc_arr), NULL, &tsc_arr);
if (!err)
memcpy(tsc, &tsc_arr[key][0], sizeof(tsc_arr[0]));
return err;
}
int __orinoco_hw_set_bitrate(struct orinoco_private *priv)
{
hermes_t *hw = &priv->hw;
int ratemode = priv->bitratemode;
int err = 0;
if (ratemode >= BITRATE_TABLE_SIZE) {
printk(KERN_ERR "%s: BUG: Invalid bitrate mode %d\n",
priv->ndev->name, ratemode);
return -EINVAL;
}
switch (priv->firmware_type) {
case FIRMWARE_TYPE_AGERE:
err = hermes_write_wordrec(hw, USER_BAP,
HERMES_RID_CNFTXRATECONTROL,
bitrate_table[ratemode].agere_txratectrl);
break;
case FIRMWARE_TYPE_INTERSIL:
case FIRMWARE_TYPE_SYMBOL:
err = hermes_write_wordrec(hw, USER_BAP,
HERMES_RID_CNFTXRATECONTROL,
bitrate_table[ratemode].intersil_txratectrl);
break;
default:
BUG();
}
return err;
}
int orinoco_hw_get_act_bitrate(struct orinoco_private *priv, int *bitrate)
{
hermes_t *hw = &priv->hw;
int i;
int err = 0;
u16 val;
err = hermes_read_wordrec(hw, USER_BAP,
HERMES_RID_CURRENTTXRATE, &val);
if (err)
return err;
switch (priv->firmware_type) {
case FIRMWARE_TYPE_AGERE: /* Lucent style rate */
/* Note : in Lucent firmware, the return value of
* HERMES_RID_CURRENTTXRATE is the bitrate in Mb/s,
* and therefore is totally different from the
* encoding of HERMES_RID_CNFTXRATECONTROL.
* Don't forget that 6Mb/s is really 5.5Mb/s */
if (val == 6)
*bitrate = 5500000;
else
*bitrate = val * 1000000;
break;
case FIRMWARE_TYPE_INTERSIL: /* Intersil style rate */
case FIRMWARE_TYPE_SYMBOL: /* Symbol style rate */
for (i = 0; i < BITRATE_TABLE_SIZE; i++)
if (bitrate_table[i].intersil_txratectrl == val)
break;
if (i >= BITRATE_TABLE_SIZE)
printk(KERN_INFO "%s: Unable to determine current bitrate (0x%04hx)\n",
priv->ndev->name, val);
*bitrate = bitrate_table[i].bitrate * 100000;
break;
default:
BUG();
}
return err;
}
/* Set fixed AP address */
int __orinoco_hw_set_wap(struct orinoco_private *priv)
{
int roaming_flag;
int err = 0;
hermes_t *hw = &priv->hw;
switch (priv->firmware_type) {
case FIRMWARE_TYPE_AGERE:
/* not supported */
break;
case FIRMWARE_TYPE_INTERSIL:
if (priv->bssid_fixed)
roaming_flag = 2;
else
roaming_flag = 1;
err = hermes_write_wordrec(hw, USER_BAP,
HERMES_RID_CNFROAMINGMODE,
roaming_flag);
break;
case FIRMWARE_TYPE_SYMBOL:
err = HERMES_WRITE_RECORD(hw, USER_BAP,
HERMES_RID_CNFMANDATORYBSSID_SYMBOL,
&priv->desired_bssid);
break;
}
return err;
}
/* Change the WEP keys and/or the current keys. Can be called
* either from __orinoco_hw_setup_enc() or directly from
* orinoco_ioctl_setiwencode(). In the later case the association
* with the AP is not broken (if the firmware can handle it),
* which is needed for 802.1x implementations. */
int __orinoco_hw_setup_wepkeys(struct orinoco_private *priv)
{
hermes_t *hw = &priv->hw;
int err = 0;
switch (priv->firmware_type) {
case FIRMWARE_TYPE_AGERE:
err = HERMES_WRITE_RECORD(hw, USER_BAP,
HERMES_RID_CNFWEPKEYS_AGERE,
&priv->keys);
if (err)
return err;
err = hermes_write_wordrec(hw, USER_BAP,
HERMES_RID_CNFTXKEY_AGERE,
priv->tx_key);
if (err)
return err;
break;
case FIRMWARE_TYPE_INTERSIL:
case FIRMWARE_TYPE_SYMBOL:
{
int keylen;
int i;
/* Force uniform key length to work around
* firmware bugs */
keylen = le16_to_cpu(priv->keys[priv->tx_key].len);
if (keylen > LARGE_KEY_SIZE) {
printk(KERN_ERR "%s: BUG: Key %d has oversize length %d.\n",
priv->ndev->name, priv->tx_key, keylen);
return -E2BIG;
}
/* Write all 4 keys */
for (i = 0; i < ORINOCO_MAX_KEYS; i++) {
err = hermes_write_ltv(hw, USER_BAP,
HERMES_RID_CNFDEFAULTKEY0 + i,
HERMES_BYTES_TO_RECLEN(keylen),
priv->keys[i].data);
if (err)
return err;
}
/* Write the index of the key used in transmission */
err = hermes_write_wordrec(hw, USER_BAP,
HERMES_RID_CNFWEPDEFAULTKEYID,
priv->tx_key);
if (err)
return err;
}
break;
}
return 0;
}
int __orinoco_hw_setup_enc(struct orinoco_private *priv)
{
hermes_t *hw = &priv->hw;
int err = 0;
int master_wep_flag;
int auth_flag;
int enc_flag;
/* Setup WEP keys for WEP and WPA */
if (priv->encode_alg)
__orinoco_hw_setup_wepkeys(priv);
if (priv->wep_restrict)
auth_flag = HERMES_AUTH_SHARED_KEY;
else
auth_flag = HERMES_AUTH_OPEN;
if (priv->wpa_enabled)
enc_flag = 2;
else if (priv->encode_alg == IW_ENCODE_ALG_WEP)
enc_flag = 1;
else
enc_flag = 0;
switch (priv->firmware_type) {
case FIRMWARE_TYPE_AGERE: /* Agere style WEP */
if (priv->encode_alg == IW_ENCODE_ALG_WEP) {
/* Enable the shared-key authentication. */
err = hermes_write_wordrec(hw, USER_BAP,
HERMES_RID_CNFAUTHENTICATION_AGERE,
auth_flag);
}
err = hermes_write_wordrec(hw, USER_BAP,
HERMES_RID_CNFWEPENABLED_AGERE,
enc_flag);
if (err)
return err;
if (priv->has_wpa) {
/* Set WPA key management */
err = hermes_write_wordrec(hw, USER_BAP,
HERMES_RID_CNFSETWPAAUTHMGMTSUITE_AGERE,
priv->key_mgmt);
if (err)
return err;
}
break;
case FIRMWARE_TYPE_INTERSIL: /* Intersil style WEP */
case FIRMWARE_TYPE_SYMBOL: /* Symbol style WEP */
if (priv->encode_alg == IW_ENCODE_ALG_WEP) {
if (priv->wep_restrict ||
(priv->firmware_type == FIRMWARE_TYPE_SYMBOL))
master_wep_flag = HERMES_WEP_PRIVACY_INVOKED |
HERMES_WEP_EXCL_UNENCRYPTED;
else
master_wep_flag = HERMES_WEP_PRIVACY_INVOKED;
err = hermes_write_wordrec(hw, USER_BAP,
HERMES_RID_CNFAUTHENTICATION,
auth_flag);
if (err)
return err;
} else
master_wep_flag = 0;
if (priv->iw_mode == IW_MODE_MONITOR)
master_wep_flag |= HERMES_WEP_HOST_DECRYPT;
/* Master WEP setting : on/off */
err = hermes_write_wordrec(hw, USER_BAP,
HERMES_RID_CNFWEPFLAGS_INTERSIL,
master_wep_flag);
if (err)
return err;
break;
}
return 0;
}
/* key must be 32 bytes, including the tx and rx MIC keys.
* rsc must be 8 bytes
* tsc must be 8 bytes or NULL
*/
int __orinoco_hw_set_tkip_key(hermes_t *hw, int key_idx, int set_tx,
u8 *key, u8 *rsc, u8 *tsc)
{
struct {
__le16 idx;
u8 rsc[IW_ENCODE_SEQ_MAX_SIZE];
u8 key[TKIP_KEYLEN];
u8 tx_mic[MIC_KEYLEN];
u8 rx_mic[MIC_KEYLEN];
u8 tsc[IW_ENCODE_SEQ_MAX_SIZE];
} __attribute__ ((packed)) buf;
int ret;
int err;
int k;
u16 xmitting;
key_idx &= 0x3;
if (set_tx)
key_idx |= 0x8000;
buf.idx = cpu_to_le16(key_idx);
memcpy(buf.key, key,
sizeof(buf.key) + sizeof(buf.tx_mic) + sizeof(buf.rx_mic));
if (rsc == NULL)
memset(buf.rsc, 0, sizeof(buf.rsc));
else
memcpy(buf.rsc, rsc, sizeof(buf.rsc));
if (tsc == NULL) {
memset(buf.tsc, 0, sizeof(buf.tsc));
buf.tsc[4] = 0x10;
} else {
memcpy(buf.tsc, tsc, sizeof(buf.tsc));
}
/* Wait upto 100ms for tx queue to empty */
for (k = 100; k > 0; k--) {
udelay(1000);
ret = hermes_read_wordrec(hw, USER_BAP, HERMES_RID_TXQUEUEEMPTY,
&xmitting);
if (ret || !xmitting)
break;
}
if (k == 0)
ret = -ETIMEDOUT;
err = HERMES_WRITE_RECORD(hw, USER_BAP,
HERMES_RID_CNFADDDEFAULTTKIPKEY_AGERE,
&buf);
return ret ? ret : err;
}
int orinoco_clear_tkip_key(struct orinoco_private *priv, int key_idx)
{
hermes_t *hw = &priv->hw;
int err;
memset(&priv->tkip_key[key_idx], 0, sizeof(priv->tkip_key[key_idx]));
err = hermes_write_wordrec(hw, USER_BAP,
HERMES_RID_CNFREMDEFAULTTKIPKEY_AGERE,
key_idx);
if (err)
printk(KERN_WARNING "%s: Error %d clearing TKIP key %d\n",
priv->ndev->name, err, key_idx);
return err;
}
int __orinoco_hw_set_multicast_list(struct orinoco_private *priv,
struct dev_addr_list *mc_list,
int mc_count, int promisc)
{
hermes_t *hw = &priv->hw;
int err = 0;
if (promisc != priv->promiscuous) {
err = hermes_write_wordrec(hw, USER_BAP,
HERMES_RID_CNFPROMISCUOUSMODE,
promisc);
if (err) {
printk(KERN_ERR "%s: Error %d setting PROMISCUOUSMODE to 1.\n",
priv->ndev->name, err);
} else
priv->promiscuous = promisc;
}
/* If we're not in promiscuous mode, then we need to set the
* group address if either we want to multicast, or if we were
* multicasting and want to stop */
if (!promisc && (mc_count || priv->mc_count)) {
struct dev_mc_list *p = mc_list;
struct hermes_multicast mclist;
int i;
for (i = 0; i < mc_count; i++) {
/* paranoia: is list shorter than mc_count? */
BUG_ON(!p);
/* paranoia: bad address size in list? */
BUG_ON(p->dmi_addrlen != ETH_ALEN);
memcpy(mclist.addr[i], p->dmi_addr, ETH_ALEN);
p = p->next;
}
if (p)
printk(KERN_WARNING "%s: Multicast list is "
"longer than mc_count\n", priv->ndev->name);
err = hermes_write_ltv(hw, USER_BAP,
HERMES_RID_CNFGROUPADDRESSES,
HERMES_BYTES_TO_RECLEN(mc_count * ETH_ALEN),
&mclist);
if (err)
printk(KERN_ERR "%s: Error %d setting multicast list.\n",
priv->ndev->name, err);
else
priv->mc_count = mc_count;
}
return err;
}
/* Return : < 0 -> error code ; >= 0 -> length */
int orinoco_hw_get_essid(struct orinoco_private *priv, int *active,
char buf[IW_ESSID_MAX_SIZE+1])
{
hermes_t *hw = &priv->hw;
int err = 0;
struct hermes_idstring essidbuf;
char *p = (char *)(&essidbuf.val);
int len;
unsigned long flags;
if (orinoco_lock(priv, &flags) != 0)
return -EBUSY;
if (strlen(priv->desired_essid) > 0) {
/* We read the desired SSID from the hardware rather
than from priv->desired_essid, just in case the
firmware is allowed to change it on us. I'm not
sure about this */
/* My guess is that the OWNSSID should always be whatever
* we set to the card, whereas CURRENT_SSID is the one that
* may change... - Jean II */
u16 rid;
*active = 1;
rid = (priv->port_type == 3) ? HERMES_RID_CNFOWNSSID :
HERMES_RID_CNFDESIREDSSID;
err = hermes_read_ltv(hw, USER_BAP, rid, sizeof(essidbuf),
NULL, &essidbuf);
if (err)
goto fail_unlock;
} else {
*active = 0;
err = hermes_read_ltv(hw, USER_BAP, HERMES_RID_CURRENTSSID,
sizeof(essidbuf), NULL, &essidbuf);
if (err)
goto fail_unlock;
}
len = le16_to_cpu(essidbuf.len);
BUG_ON(len > IW_ESSID_MAX_SIZE);
memset(buf, 0, IW_ESSID_MAX_SIZE);
memcpy(buf, p, len);
err = len;
fail_unlock:
orinoco_unlock(priv, &flags);
return err;
}
int orinoco_hw_get_freq(struct orinoco_private *priv)
{
hermes_t *hw = &priv->hw;
int err = 0;
u16 channel;
int freq = 0;
unsigned long flags;
if (orinoco_lock(priv, &flags) != 0)
return -EBUSY;
err = hermes_read_wordrec(hw, USER_BAP, HERMES_RID_CURRENTCHANNEL,
&channel);
if (err)
goto out;
/* Intersil firmware 1.3.5 returns 0 when the interface is down */
if (channel == 0) {
err = -EBUSY;
goto out;
}
if ((channel < 1) || (channel > NUM_CHANNELS)) {
printk(KERN_WARNING "%s: Channel out of range (%d)!\n",
priv->ndev->name, channel);
err = -EBUSY;
goto out;
}
freq = ieee80211_dsss_chan_to_freq(channel);
out:
orinoco_unlock(priv, &flags);
if (err > 0)
err = -EBUSY;
return err ? err : freq;
}
int orinoco_hw_get_bitratelist(struct orinoco_private *priv,
int *numrates, s32 *rates, int max)
{
hermes_t *hw = &priv->hw;
struct hermes_idstring list;
unsigned char *p = (unsigned char *)&list.val;
int err = 0;
int num;
int i;
unsigned long flags;
if (orinoco_lock(priv, &flags) != 0)
return -EBUSY;
err = hermes_read_ltv(hw, USER_BAP, HERMES_RID_SUPPORTEDDATARATES,
sizeof(list), NULL, &list);
orinoco_unlock(priv, &flags);
if (err)
return err;
num = le16_to_cpu(list.len);
*numrates = num;
num = min(num, max);
for (i = 0; i < num; i++)
rates[i] = (p[i] & 0x7f) * 500000; /* convert to bps */
return 0;
}