From 6b0c328cda12ca0e8d2d53890272b8d5d76d374e Mon Sep 17 00:00:00 2001
From: stsp <stsp@openbsd.org>
Date: Fri, 9 Jul 2021 11:31:05 +0000
Subject: [PATCH] Fix errors in the probe request template we provide to iwm(4)
 firmware.

The SSID should not be inserted into the template itself. The template
just needs an empty SSID information element. Firmware fills in the rest.

Fix the length specification of 2GHz band-specific data in the template.
---
 sys/dev/pci/if_iwm.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/sys/dev/pci/if_iwm.c b/sys/dev/pci/if_iwm.c
index 8563cc1b943..8ddf793b91b 100644
--- a/sys/dev/pci/if_iwm.c
+++ b/sys/dev/pci/if_iwm.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_iwm.c,v 1.351 2021/07/09 11:29:08 stsp Exp $	*/
+/*	$OpenBSD: if_iwm.c,v 1.352 2021/07/09 11:31:05 stsp Exp $	*/
 
 /*
  * Copyright (c) 2014, 2016 genua gmbh <info@genua.de>
@@ -7180,7 +7180,7 @@ iwm_fill_probe_req(struct iwm_softc *sc, struct iwm_scan_probe_req *preq)
 
 	memset(preq, 0, sizeof(*preq));
 
-	if (remain < sizeof(*wh) + 2 + ic->ic_des_esslen)
+	if (remain < sizeof(*wh) + 2)
 		return ENOBUFS;
 
 	/*
@@ -7197,9 +7197,12 @@ iwm_fill_probe_req(struct iwm_softc *sc, struct iwm_scan_probe_req *preq)
 	*(uint16_t *)&wh->i_seq[0] = 0;	/* filled by HW */
 
 	frm = (uint8_t *)(wh + 1);
-	frm = ieee80211_add_ssid(frm, ic->ic_des_essid, ic->ic_des_esslen);
 
-	/* Tell the firmware where the MAC header is. */
+	*frm++ = IEEE80211_ELEMID_SSID;
+	*frm++ = 0;
+	/* hardware inserts SSID */
+
+	/* Tell firmware where the MAC header and SSID IE are. */
 	preq->mac_header.offset = 0;
 	preq->mac_header.len = htole16(frm - (uint8_t *)wh);
 	remain -= frm - (uint8_t *)wh;
@@ -7216,7 +7219,6 @@ iwm_fill_probe_req(struct iwm_softc *sc, struct iwm_scan_probe_req *preq)
 	frm = ieee80211_add_rates(frm, rs);
 	if (rs->rs_nrates > IEEE80211_RATE_SIZE)
 		frm = ieee80211_add_xrates(frm, rs);
-	preq->band_data[0].len = htole16(frm - pos);
 	remain -= frm - pos;
 
 	if (isset(sc->sc_enabled_capa, 
@@ -7228,6 +7230,7 @@ iwm_fill_probe_req(struct iwm_softc *sc, struct iwm_scan_probe_req *preq)
 		*frm++ = 0;
 		remain -= 3;
 	}
+	preq->band_data[0].len = htole16(frm - pos);
 
 	if (sc->sc_nvm.sku_cap_band_52GHz_enable) {
 		/* Fill in 5GHz IEs. */
-- 
2.20.1