staging: vt6656: iwctl_giwaplist/device_ioctl : use off stack buffers.

 * Wireless Handler: get ap list

 */

int iwctl_giwaplist(struct net_device *dev, struct iw_request_info *info,

		struct iw_point *wrq, char *extra)

		struct iw_point *wrq, u8 *extra)

{

	struct sockaddr *sock;

	struct iw_quality *qual;

	PSDevice pDevice = netdev_priv(dev);

	PSMgmtObject pMgmt = &pDevice->sMgmtObj;

	PKnownBSS pBSS = &pMgmt->sBSSList[0];

	int ii;

	int jj;

	int rc = 0;

	struct sockaddr sock[IW_MAX_AP];

	struct iw_quality qual[IW_MAX_AP];

	PSDevice pDevice = netdev_priv(dev);

	PSMgmtObject pMgmt = &(pDevice->sMgmtObj);

	DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO " SIOCGIWAPLIST\n");

	// Only super-user can see AP list

	/* Only super-user can see AP list */

	if (!capable(CAP_NET_ADMIN)) {

		rc = -EPERM;

		return rc;

	}

	if (pBSS == NULL)

		return -ENODEV;

	if (wrq->pointer) {

		PKnownBSS pBSS = &(pMgmt->sBSSList[0]);

	if (!capable(CAP_NET_ADMIN))

		return -EPERM;

	if (!wrq->pointer)

		return -EINVAL;

	sock = kzalloc(sizeof(struct sockaddr) * IW_MAX_AP, GFP_KERNEL);

	qual = kzalloc(sizeof(struct iw_quality) * IW_MAX_AP, GFP_KERNEL);

	if (sock == NULL || qual == NULL)

		return -ENOMEM;

	for (ii = 0, jj = 0; ii < MAX_BSS_NUM; ii++) {

			pBSS = &(pMgmt->sBSSList[ii]);

			if (!pBSS->bActive)

		if (!pBSS[ii].bActive)

			continue;

		if (jj >= IW_MAX_AP)

			break;

			memcpy(sock[jj].sa_data, pBSS->abyBSSID, 6);

		memcpy(sock[jj].sa_data, pBSS[ii].abyBSSID, 6);

		sock[jj].sa_family = ARPHRD_ETHER;

			qual[jj].level = pBSS->uRSSI;

		qual[jj].level = pBSS[ii].uRSSI;

		qual[jj].qual = qual[jj].noise = 0;

		qual[jj].updated = 2;

		jj++;

	}

		wrq->flags = 1; // Should be defined

	wrq->flags = 1; /* Should be defined */

	wrq->length = jj;

	memcpy(extra, sock, sizeof(struct sockaddr) * jj);

		memcpy(extra + sizeof(struct sockaddr) * jj, qual, sizeof(struct iw_quality) * jj);

	}

	return rc;

	memcpy(extra + sizeof(struct sockaddr) * jj, qual,

		sizeof(struct iw_quality) * jj);

	kfree(sock);

	kfree(qual);

	return 0;

}

/*

static int  device_ioctl(struct net_device *dev, struct ifreq *rq, int cmd) {

	PSDevice pDevice = (PSDevice)netdev_priv(dev);

    PSMgmtObject        pMgmt = &(pDevice->sMgmtObj);

	PSMgmtObject pMgmt = &pDevice->sMgmtObj;

	PSCmdRequest pReq;

    //BOOL                bCommit = FALSE;

	u8 *buffer;

	struct iwreq *wrq = (struct iwreq *) rq;

	int rc = 0;

		break;

	case SIOCGIWAPLIST:

	    {

            char buffer[IW_MAX_AP * (sizeof(struct sockaddr) + sizeof(struct iw_quality))];

		if (wrq->u.data.pointer) {

		        rc = iwctl_giwaplist(dev, NULL, &(wrq->u.data), buffer);

		        if (rc == 0) {

                    if (copy_to_user(wrq->u.data.pointer,

					                buffer,

					               (wrq->u.data.length * (sizeof(struct sockaddr) +  sizeof(struct iw_quality)))

				        ))

				    rc = -EFAULT;

			buffer = kzalloc((sizeof(struct sockaddr) +

				sizeof(struct iw_quality)) * IW_MAX_AP,

					GFP_KERNEL);

			if (buffer == NULL) {

				rc = -ENOMEM;

				break;

			}

			rc = iwctl_giwaplist(dev, NULL, &(wrq->u.data), buffer);

			if (rc < 0) {

				kfree(buffer);

				break;

			}

			if (copy_to_user(wrq->u.data.pointer, buffer,

				wrq->u.data.length * (sizeof(struct sockaddr)

					+ sizeof(struct iw_quality))))

				rc = -EFAULT;

			kfree(buffer);

		}

		break;