--- net80211/ieee80211_wireless.c.orig 2009-01-06 10:15:58.000000000 +0100 +++ net80211/ieee80211_wireless.c 2009-01-06 10:21:04.000000000 +0100 @@ -1550,6 +1550,7 @@ #endif /* WIRELESS_EXT > 14 */ struct iwscanreq { /* XXX: right place for this declaration? */ + struct iw_request_info *info; struct ieee80211vap *vap; char *current_ev; char *end_buf; @@ -1562,6 +1563,7 @@ struct iwscanreq *req = arg; struct ieee80211vap *vap = req->vap; char *current_ev = req->current_ev; + struct iw_request_info *info = req->info; char *end_buf = req->end_buf; char *last_ev; #if WIRELESS_EXT > 14 @@ -1576,6 +1578,7 @@ char *current_val; int j; + if (current_ev >= end_buf) return E2BIG; /* WPA/!WPA sort criteria */ @@ -1590,7 +1593,7 @@ IEEE80211_ADDR_COPY(iwe.u.ap_addr.sa_data, se->se_macaddr); else IEEE80211_ADDR_COPY(iwe.u.ap_addr.sa_data, se->se_bssid); - current_ev = iwe_stream_add_event(current_ev, end_buf, &iwe, IW_EV_ADDR_LEN); + current_ev = iwe_stream_add_event(info,current_ev, end_buf, &iwe, IW_EV_ADDR_LEN); /* We ran out of space in the buffer. */ if (last_ev == current_ev) @@ -1603,11 +1606,11 @@ if (vap->iv_opmode == IEEE80211_M_HOSTAP) { iwe.u.data.length = vap->iv_des_nssid > 0 ? vap->iv_des_ssid[0].len : 0; - current_ev = iwe_stream_add_point(current_ev, + current_ev = iwe_stream_add_point(info,current_ev, end_buf, &iwe, vap->iv_des_ssid[0].ssid); } else { iwe.u.data.length = se->se_ssid[1]; - current_ev = iwe_stream_add_point(current_ev, + current_ev = iwe_stream_add_point(info,current_ev, end_buf, &iwe, (char *) se->se_ssid+2); } @@ -1621,7 +1624,7 @@ iwe.cmd = SIOCGIWMODE; iwe.u.mode = se->se_capinfo & IEEE80211_CAPINFO_ESS ? IW_MODE_MASTER : IW_MODE_ADHOC; - current_ev = iwe_stream_add_event(current_ev, + current_ev = iwe_stream_add_event(info,current_ev, end_buf, &iwe, IW_EV_UINT_LEN); /* We ran out of space in the buffer. */ @@ -1634,7 +1637,7 @@ iwe.cmd = SIOCGIWFREQ; iwe.u.freq.m = se->se_chan->ic_freq * 100000; iwe.u.freq.e = 1; - current_ev = iwe_stream_add_event(current_ev, + current_ev = iwe_stream_add_event(info,current_ev, end_buf, &iwe, IW_EV_FREQ_LEN); /* We ran out of space in the buffer. */ @@ -1645,7 +1648,7 @@ last_ev = current_ev; iwe.cmd = IWEVQUAL; set_quality(&iwe.u.qual, se->se_rssi, ATH_DEFAULT_NOISE); - current_ev = iwe_stream_add_event(current_ev, + current_ev = iwe_stream_add_event(info,current_ev, end_buf, &iwe, IW_EV_QUAL_LEN); /* We ran out of space in the buffer */ @@ -1660,7 +1663,7 @@ else iwe.u.data.flags = IW_ENCODE_DISABLED; iwe.u.data.length = 0; - current_ev = iwe_stream_add_point(current_ev, end_buf, &iwe, ""); + current_ev = iwe_stream_add_point(info,current_ev, end_buf, &iwe, ""); /* We ran out of space in the buffer. */ if (last_ev == current_ev) @@ -1675,7 +1678,7 @@ int r = se->se_rates[2 + j] & IEEE80211_RATE_VAL; if (r != 0) { iwe.u.bitrate.value = r * (1000000 / 2); - current_val = iwe_stream_add_value(current_ev, + current_val = iwe_stream_add_value(info,current_ev, current_val, end_buf, &iwe, IW_EV_PARAM_LEN); } @@ -1684,7 +1687,7 @@ int r = se->se_xrates[2+j] & IEEE80211_RATE_VAL; if (r != 0) { iwe.u.bitrate.value = r * (1000000 / 2); - current_val = iwe_stream_add_value(current_ev, + current_val = iwe_stream_add_value(info,current_ev, current_val, end_buf, &iwe, IW_EV_PARAM_LEN); } @@ -1704,7 +1707,7 @@ iwe.cmd = IWEVCUSTOM; snprintf(buf, sizeof(buf), "bcn_int=%d", se->se_intval); iwe.u.data.length = strlen(buf); - current_ev = iwe_stream_add_point(current_ev, end_buf, &iwe, buf); + current_ev = iwe_stream_add_point(info,current_ev, end_buf, &iwe, buf); /* We ran out of space in the buffer. */ if (last_ev == current_ev) @@ -1728,7 +1731,7 @@ rsn_leader, sizeof(rsn_leader) - 1); #endif if (iwe.u.data.length != 0) { - current_ev = iwe_stream_add_point(current_ev, end_buf, + current_ev = iwe_stream_add_point(info,current_ev, end_buf, &iwe, buf); /* We ran out of space in the buffer */ @@ -1754,7 +1757,7 @@ wpa_leader, sizeof(wpa_leader) - 1); #endif if (iwe.u.data.length != 0) { - current_ev = iwe_stream_add_point(current_ev, end_buf, + current_ev = iwe_stream_add_point(info,current_ev, end_buf, &iwe, buf); /* We ran out of space in the buffer. */ @@ -1773,7 +1776,7 @@ se->se_wme_ie, se->se_wme_ie[1] + 2, wme_leader, sizeof(wme_leader) - 1); if (iwe.u.data.length != 0) { - current_ev = iwe_stream_add_point(current_ev, end_buf, + current_ev = iwe_stream_add_point(info,current_ev, end_buf, &iwe, buf); /* We ran out of space in the buffer. */ @@ -1791,7 +1794,7 @@ se->se_ath_ie, se->se_ath_ie[1] + 2, ath_leader, sizeof(ath_leader) - 1); if (iwe.u.data.length != 0) { - current_ev = iwe_stream_add_point(current_ev, end_buf, + current_ev = iwe_stream_add_point(info,current_ev, end_buf, &iwe, buf); /* We ran out of space in the buffer. */