Gitiles
Code Review Sign In
review.blissroms.org / platform_system_qcom / 124fb55d96c163ace9231f71f0bb8aecddfec1ce^! / .
commit124fb55d96c163ace9231f71f0bb8aecddfec1ce[log] [tgz]
authorRavi Joshi <ravij@codeaurora.org>Wed Apr 02 16:18:12 2014 -0700
committerRavi Joshi <ravij@codeaurora.org>Wed Apr 02 16:18:12 2014 -0700
treeab3be524f086d337962c1abbb7effd672d452ad4
parent1e7bd66054ede98d2bd22c881cf617cba2f150b8 [diff]
framework: Fix for 64-bit unsafe QCSAP_IOCTL_ASSOC_STA_MACADDR handling

Fixes for making SAP SDK 64 bit compliant for QCSAP_IOCTL_ASSOC_STA_MACADDR
ioctl

Change-Id: I161ac3113c01752f627bd876f85342d5a9b20ede
CRs-Fixed: 639046

diff --git a/softap/sdk/qsap_api.c b/softap/sdk/qsap_api.c
index 6c13d60..5888e5b 100644
--- a/softap/sdk/qsap_api.c
+++ b/softap/sdk/qsap_api.c

@@ -1463,6 +1463,7 @@
     u32 len = MAX_CONF_LINE_LEN;
     s8 *pif;
     s8 *pbuf, *pout;
+    u32 buflen;
     u32 recvLen;
     u32 tlen;
 
@@ -1482,7 +1483,9 @@
         goto error;
     }
 
-    pbuf = (s8 *)malloc((MAX_STA_ALLOWED * 6) + 8);
+    /* response has length field + 6 bytes per STA */
+    buflen = sizeof(u32) + (MAX_STA_ALLOWED * 6);
+    pbuf = (s8 *)malloc(buflen);
     if(NULL == pbuf) {
         ALOGE("%s :No memory \n", __func__);
         close(sock);
@@ -1492,7 +1495,7 @@
 
 #define SIZE_OF_MAC_INT   (6)
     strlcpy(wrq.ifr_name, pif, sizeof(wrq.ifr_name));
-    wrq.u.data.length = SIZE_OF_MAC_INT * 8 + 8; /** 8 supported MAC and 7 SPACE separators and a '\0' */
+    wrq.u.data.length = buflen;
     wrq.u.data.pointer = (void *)pbuf;
     wrq.u.data.flags = 0;
 
@@ -1504,13 +1507,14 @@
         goto error;
     }
 
-    recvLen = *(unsigned long int *)(wrq.u.data.pointer);
+    recvLen = *(u32 *)(wrq.u.data.pointer);
+    recvLen -= sizeof(u32);
 
     len = qsap_scnprintf(presp, *plen, "%s %s=", SUCCESS, cmd_list[eCMD_ASSOC_STA_MACS].name);
     pout = presp + len;
     tlen = *plen - len;
 
-    qsap_mac_to_macstr(pbuf+sizeof(unsigned long int), recvLen, pout, &tlen);
+    qsap_mac_to_macstr(pbuf+sizeof(u32), recvLen, pout, &tlen);
 
     *plen = len + tlen;
 
@@ -3060,7 +3064,7 @@
 {
     char cmdbuf[CMD_BUF_LEN];
     char respbuf[RECV_BUF_LEN];
-    unsigned long int rlen = RECV_BUF_LEN;
+    u32 rlen = RECV_BUF_LEN;
     int i;
     int hidden = 0;
     int sec = SEC_MODE_NONE;