aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--hostapd/driver_nl80211.c4
-rw-r--r--src/drivers/driver_nl80211.c4
-rw-r--r--src/drivers/driver_wext.c4
-rw-r--r--wpa_supplicant/ChangeLog2
4 files changed, 11 insertions, 3 deletions
diff --git a/hostapd/driver_nl80211.c b/hostapd/driver_nl80211.c
index 7946b1e..3cb74d1 100644
--- a/hostapd/driver_nl80211.c
+++ b/hostapd/driver_nl80211.c
@@ -2291,10 +2291,12 @@ static int i802_get_ht_scan_res(struct i802_driver_data *drv)
if (ioctl(drv->ioctl_sock, SIOCGIWSCAN, &iwr) == 0)
break;
- if (errno == E2BIG && res_buf_len < 100000) {
+ if (errno == E2BIG && res_buf_len < 65535) {
os_free(res_buf);
res_buf = NULL;
res_buf_len *= 2;
+ if (res_buf_len > 65535)
+ res_buf_len = 65535; /* 16-bit length field */
wpa_printf(MSG_DEBUG, "Scan results did not fit - "
"trying larger buffer (%lu bytes)",
(unsigned long) res_buf_len);
diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
index 5e40cd2..2646270 100644
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -1565,10 +1565,12 @@ static u8 * wpa_driver_nl80211_giwscan(struct wpa_driver_nl80211_data *drv,
if (ioctl(drv->ioctl_sock, SIOCGIWSCAN, &iwr) == 0)
break;
- if (errno == E2BIG && res_buf_len < 100000) {
+ if (errno == E2BIG && res_buf_len < 65535) {
os_free(res_buf);
res_buf = NULL;
res_buf_len *= 2;
+ if (res_buf_len > 65535)
+ res_buf_len = 65535; /* 16-bit length field */
wpa_printf(MSG_DEBUG, "Scan results did not fit - "
"trying larger buffer (%lu bytes)",
(unsigned long) res_buf_len);
diff --git a/src/drivers/driver_wext.c b/src/drivers/driver_wext.c
index b6273e5..631c63d 100644
--- a/src/drivers/driver_wext.c
+++ b/src/drivers/driver_wext.c
@@ -1140,10 +1140,12 @@ static u8 * wpa_driver_wext_giwscan(struct wpa_driver_wext_data *drv,
if (ioctl(drv->ioctl_sock, SIOCGIWSCAN, &iwr) == 0)
break;
- if (errno == E2BIG && res_buf_len < 100000) {
+ if (errno == E2BIG && res_buf_len < 65535) {
os_free(res_buf);
res_buf = NULL;
res_buf_len *= 2;
+ if (res_buf_len > 65535)
+ res_buf_len = 65535; /* 16-bit length field */
wpa_printf(MSG_DEBUG, "Scan results did not fit - "
"trying larger buffer (%lu bytes)",
(unsigned long) res_buf_len);
diff --git a/wpa_supplicant/ChangeLog b/wpa_supplicant/ChangeLog
index 4be7670..1d46ff9 100644
--- a/wpa_supplicant/ChangeLog
+++ b/wpa_supplicant/ChangeLog
@@ -3,6 +3,8 @@ ChangeLog for wpa_supplicant
????-??-?? - v0.7.0
* increased wpa_cli ping interval to 5 seconds and made this
configurable with a new command line options (-G<seconds>)
+ * fixed scan buffer processing with WEXT to handle up to 65535
+ byte result buffer (previously, limited to 32768 bytes)
2009-01-06 - v0.6.7
* added support for Wi-Fi Protected Setup (WPS)