From c67eea0c34101ba199e500c825edf0a080cdfd45 Mon Sep 17 00:00:00 2001 From: Martin Kaiser Date: Thu, 2 Jun 2022 21:37:20 +0200 Subject: [PATCH] staging: r8188eu: calculate the addba response length An addba response always ends with the timeout field. The length of the addba response is the offset of the end of the timeout field in the struct ieee80211_mgmt that defines the message. Use offsetofend to calculate this offset and drop the intermediate pktlen increments as we add addba response components. Tested-by: Pavel Skripkin Signed-off-by: Martin Kaiser Link: https://lore.kernel.org/r/20220602193726.280922-6-martin@kaiser.cx Signed-off-by: Greg Kroah-Hartman --- drivers/staging/r8188eu/core/rtw_mlme_ext.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/drivers/staging/r8188eu/core/rtw_mlme_ext.c b/drivers/staging/r8188eu/core/rtw_mlme_ext.c index 3b684401f9643..55e347bb9a6a4 100644 --- a/drivers/staging/r8188eu/core/rtw_mlme_ext.c +++ b/drivers/staging/r8188eu/core/rtw_mlme_ext.c @@ -5441,18 +5441,14 @@ void issue_action_BA(struct adapter *padapter, unsigned char *raddr, unsigned ch break; case WLAN_ACTION_ADDBA_RESP: mgmt->u.action.u.addba_resp.action_code = WLAN_ACTION_ADDBA_RESP; - pattrib->pktlen++; mgmt->u.action.u.addba_resp.dialog_token = pmlmeinfo->ADDBA_req.dialog_token; - pattrib->pktlen++; mgmt->u.action.u.addba_resp.status = cpu_to_le16(status); - pattrib->pktlen += 2; capab = le16_to_cpu(pmlmeinfo->ADDBA_req.BA_para_set) & 0x3f; capab |= u16_encode_bits(64, IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK); capab |= u16_encode_bits(pregpriv->ampdu_amsdu, IEEE80211_ADDBA_PARAM_AMSDU_MASK); mgmt->u.action.u.addba_req.capab = cpu_to_le16(capab); - pattrib->pktlen += 2; mgmt->u.action.u.addba_resp.timeout = pmlmeinfo->ADDBA_req.BA_timeout_value; - pattrib->pktlen += 2; + pattrib->pktlen = offsetofend(struct ieee80211_mgmt, u.action.u.addba_resp.timeout); break; case WLAN_ACTION_DELBA: mgmt->u.action.u.delba.action_code = WLAN_ACTION_DELBA; -- 2.30.2