net80211 drivers: fix ieee80211_init_channels() usage

Fix out-of-bounds read (all) / write (11n capable) for drivers
that are using ieee80211_init_channels() to initialize channel list.

Tested with:
 * RTL8188EU, STA mode.
 * RTL8188CUS, STA mode.
 * WUSB54GC, HOSTAP mode.

Approved by:	adrian (mentor)
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D4818

sys/dev/bwi/if_bwi.c

@@ -356,8 +356,8 @@ bwi_attach(struct bwi_softc *sc)
 	device_t dev = sc->sc_dev;
 	struct bwi_mac *mac;
 	struct bwi_phy *phy;
+	uint8_t bands[howmany(IEEE80211_MODE_MAX, 8)];
 	int i, error;
-	uint8_t bands;
 
 	BWI_LOCK_INIT(sc);
 
@@ -453,15 +453,15 @@ bwi_attach(struct bwi_softc *sc)
 	/*
 	 * Setup ratesets, phytype, channels and get MAC address
 	 */
-	bands = 0;
+	memset(bands, 0, sizeof(bands));
 	if (phy->phy_mode == IEEE80211_MODE_11B ||
 	    phy->phy_mode == IEEE80211_MODE_11G) {
-		setbit(&bands, IEEE80211_MODE_11B);
+		setbit(bands, IEEE80211_MODE_11B);
 		if (phy->phy_mode == IEEE80211_MODE_11B) {
 			ic->ic_phytype = IEEE80211_T_DS;
 		} else {
 			ic->ic_phytype = IEEE80211_T_OFDM;
-			setbit(&bands, IEEE80211_MODE_11G);
+			setbit(bands, IEEE80211_MODE_11G);
 		}
 
 		bwi_get_eaddr(sc, BWI_SPROM_11BG_EADDR, ic->ic_macaddr);
@@ -475,7 +475,7 @@ bwi_attach(struct bwi_softc *sc)
 		}
 	} else if (phy->phy_mode == IEEE80211_MODE_11A) {
 		/* TODO:11A */
-		setbit(&bands, IEEE80211_MODE_11A);
+		setbit(bands, IEEE80211_MODE_11A);
 		error = ENXIO;
 		goto fail;
 	} else {
@@ -487,7 +487,7 @@ bwi_attach(struct bwi_softc *sc)
 				   BWI_SPROM_CARD_INFO_LOCALE);
 	DPRINTF(sc, BWI_DBG_ATTACH, "locale: %d\n", sc->sc_locale);
 	/* XXX use locale */
-	ieee80211_init_channels(ic, NULL, &bands);
+	ieee80211_init_channels(ic, NULL, bands);
 
 	ic->ic_softc = sc;
 	ic->ic_name = device_get_nameunit(dev);

sys/dev/if_ndis/if_ndis.c

@@ -724,8 +724,8 @@ ndis_80211attach(struct ndis_softc *sc)
 	ndis_80211_rates_ex	rates;
 	struct ndis_80211_nettype_list *ntl;
 	uint32_t		arg;
-	int			mode, i, r, len;
-	uint8_t			bands = 0;
+	int			mode, i, r, len, nonettypes = 1;
+	uint8_t			bands[howmany(IEEE80211_MODE_MAX, 8)] = { 0 };
 
 	callout_init(&sc->ndis_scan_callout, 1);
 
@@ -751,8 +751,9 @@ ndis_80211attach(struct ndis_softc *sc)
 	for (i = 0; i < ntl->ntl_items; i++) {
 		mode = ndis_nettype_mode(ntl->ntl_type[i]);
 		if (mode) {
+			nonettypes = 0;
 			setbit(ic->ic_modecaps, mode);
-			setbit(&bands, mode);
+			setbit(bands, mode);
 		} else
 			device_printf(sc->ndis_dev, "Unknown nettype %d\n",
 			    ntl->ntl_type[i]);
@@ -760,9 +761,9 @@ ndis_80211attach(struct ndis_softc *sc)
 	free(ntl, M_DEVBUF);
 nonettypes:
 	/* Default to 11b channels if the card did not supply any */
-	if (bands == 0) {
+	if (nonettypes) {
 		setbit(ic->ic_modecaps, IEEE80211_MODE_11B);
-		setbit(&bands, IEEE80211_MODE_11B);
+		setbit(bands, IEEE80211_MODE_11B);
 	}
 	len = sizeof(rates);
 	bzero((char *)&rates, len);
@@ -859,7 +860,7 @@ ndis_80211attach(struct ndis_softc *sc)
 #undef INCRATE
 #undef TESTSETRATE
 
-	ieee80211_init_channels(ic, NULL, &bands);
+	ieee80211_init_channels(ic, NULL, bands);
 
 	/*
 	 * To test for WPA support, we need to see if we can

sys/dev/iwi/if_iwi.c

@@ -271,8 +271,8 @@ iwi_attach(device_t dev)
 	struct iwi_softc *sc = device_get_softc(dev);
 	struct ieee80211com *ic = &sc->sc_ic;
 	uint16_t val;
+	uint8_t bands[howmany(IEEE80211_MODE_MAX, 8)];
 	int i, error;
-	uint8_t bands;
 
 	sc->sc_dev = dev;
 
@@ -373,13 +373,13 @@ iwi_attach(device_t dev)
 	val = iwi_read_prom_word(sc, IWI_EEPROM_MAC + 2);
 	ic->ic_macaddr[4] = val & 0xff;
 	ic->ic_macaddr[5] = val >> 8;
-	
-	bands = 0;
-	setbit(&bands, IEEE80211_MODE_11B);
-	setbit(&bands, IEEE80211_MODE_11G);
+
+	memset(bands, 0, sizeof(bands));
+	setbit(bands, IEEE80211_MODE_11B);
+	setbit(bands, IEEE80211_MODE_11G);
 	if (pci_get_device(dev) >= 0x4223) 
-		setbit(&bands, IEEE80211_MODE_11A);
-	ieee80211_init_channels(ic, NULL, &bands);
+		setbit(bands, IEEE80211_MODE_11A);
+	ieee80211_init_channels(ic, NULL, bands);
 
 	ieee80211_ifattach(ic);
 	/* override default methods */

sys/dev/malo/if_malo.c

@@ -173,7 +173,7 @@ malo_attach(uint16_t devid, struct malo_softc *sc)
 	struct ieee80211com *ic = &sc->malo_ic;
 	struct malo_hal *mh;
 	int error;
-	uint8_t bands;
+	uint8_t bands[howmany(IEEE80211_MODE_MAX, 8)];
 
 	MALO_LOCK_INIT(sc);
 	callout_init_mtx(&sc->malo_watchdog_timer, &sc->malo_mtx, 0);
@@ -222,10 +222,10 @@ malo_attach(uint16_t devid, struct malo_softc *sc)
 	    sc->malo_hwspecs.wcbbase[2], sc->malo_hwspecs.wcbbase[3]);
 
 	/* NB: firmware looks that it does not export regdomain info API.  */
-	bands = 0;
-	setbit(&bands, IEEE80211_MODE_11B);
-	setbit(&bands, IEEE80211_MODE_11G);
-	ieee80211_init_channels(ic, NULL, &bands);
+	memset(bands, 0, sizeof(bands));
+	setbit(bands, IEEE80211_MODE_11B);
+	setbit(bands, IEEE80211_MODE_11G);
+	ieee80211_init_channels(ic, NULL, bands);
 
 	sc->malo_txantenna = 0x2;	/* h/w default */
 	sc->malo_rxantenna = 0xffff;	/* h/w default */

sys/dev/otus/if_otus.c

@@ -624,8 +624,8 @@ otus_attachhook(struct otus_softc *sc)
 	struct ieee80211com *ic = &sc->sc_ic;
 	usb_device_request_t req;
 	uint32_t in, out;
+	uint8_t bands[howmany(IEEE80211_MODE_MAX, 8)];
 	int error;
-	uint8_t bands;
 
 	/* Not locked */
 	error = otus_load_firmware(sc, "otusfw_init", AR_FW_INIT_ADDR);
@@ -743,19 +743,19 @@ otus_attachhook(struct otus_softc *sc)
 	otus_get_chanlist(sc);
 #else
 	/* Set supported .11b and .11g rates. */
-	bands = 0;
+	memset(bands, 0, sizeof(bands));
 	if (sc->eeprom.baseEepHeader.opCapFlags & AR5416_OPFLAGS_11G) {
-		setbit(&bands, IEEE80211_MODE_11B);
-		setbit(&bands, IEEE80211_MODE_11G);
+		setbit(bands, IEEE80211_MODE_11B);
+		setbit(bands, IEEE80211_MODE_11G);
 	}
 	if (sc->eeprom.baseEepHeader.opCapFlags & AR5416_OPFLAGS_11A) {
-		setbit(&bands, IEEE80211_MODE_11A);
+		setbit(bands, IEEE80211_MODE_11A);
 	}
 #if 0
 	if (sc->sc_ht)
-		setbit(&bands, IEEE80211_MODE_11NG);
+		setbit(bands, IEEE80211_MODE_11NG);
 #endif
-	ieee80211_init_channels(ic, NULL, &bands);
+	ieee80211_init_channels(ic, NULL, bands);
 #endif
 
 	ieee80211_ifattach(ic);

sys/dev/ral/rt2560.c

@@ -199,7 +199,7 @@ rt2560_attach(device_t dev, int id)
 {
 	struct rt2560_softc *sc = device_get_softc(dev);
 	struct ieee80211com *ic = &sc->sc_ic;
-	uint8_t bands;
+	uint8_t bands[howmany(IEEE80211_MODE_MAX, 8)];
 	int error;
 
 	sc->sc_dev = dev;
@@ -278,12 +278,12 @@ rt2560_attach(device_t dev, int id)
 #endif
 		;
 
-	bands = 0;
-	setbit(&bands, IEEE80211_MODE_11B);
-	setbit(&bands, IEEE80211_MODE_11G);
+	memset(bands, 0, sizeof(bands));
+	setbit(bands, IEEE80211_MODE_11B);
+	setbit(bands, IEEE80211_MODE_11G);
 	if (sc->rf_rev == RT2560_RF_5222)
-		setbit(&bands, IEEE80211_MODE_11A);
-	ieee80211_init_channels(ic, NULL, &bands);
+		setbit(bands, IEEE80211_MODE_11A);
+	ieee80211_init_channels(ic, NULL, bands);
 
 	ieee80211_ifattach(ic);
 	ic->ic_raw_xmit = rt2560_raw_xmit;

sys/dev/ral/rt2661.c

@@ -199,8 +199,8 @@ rt2661_attach(device_t dev, int id)
 	struct rt2661_softc *sc = device_get_softc(dev);
 	struct ieee80211com *ic = &sc->sc_ic;
 	uint32_t val;
+	uint8_t bands[howmany(IEEE80211_MODE_MAX, 8)];
 	int error, ac, ntries;
-	uint8_t bands;
 
 	sc->sc_id = id;
 	sc->sc_dev = dev;
@@ -279,12 +279,12 @@ rt2661_attach(device_t dev, int id)
 #endif
 		;
 
-	bands = 0;
-	setbit(&bands, IEEE80211_MODE_11B);
-	setbit(&bands, IEEE80211_MODE_11G);
+	memset(bands, 0, sizeof(bands));
+	setbit(bands, IEEE80211_MODE_11B);
+	setbit(bands, IEEE80211_MODE_11G);
 	if (sc->rf_rev == RT2661_RF_5225 || sc->rf_rev == RT2661_RF_5325) 
-		setbit(&bands, IEEE80211_MODE_11A);
-	ieee80211_init_channels(ic, NULL, &bands);
+		setbit(bands, IEEE80211_MODE_11A);
+	ieee80211_init_channels(ic, NULL, bands);
 
 	ieee80211_ifattach(ic);
 #if 0

sys/dev/ral/rt2860.c

@@ -232,8 +232,8 @@ rt2860_attach(device_t dev, int id)
 	struct rt2860_softc *sc = device_get_softc(dev);
 	struct ieee80211com *ic = &sc->sc_ic;
 	uint32_t tmp;
+	uint8_t bands[howmany(IEEE80211_MODE_MAX, 8)];
 	int error, ntries, qid;
-	uint8_t bands;
 
 	sc->sc_dev = dev;
 	sc->sc_debug = 0;
@@ -319,12 +319,12 @@ rt2860_attach(device_t dev, int id)
 		| IEEE80211_C_WME		/* 802.11e */
 		;
 
-	bands = 0;
-	setbit(&bands, IEEE80211_MODE_11B);
-	setbit(&bands, IEEE80211_MODE_11G);
+	memset(bands, 0, sizeof(bands));
+	setbit(bands, IEEE80211_MODE_11B);
+	setbit(bands, IEEE80211_MODE_11G);
 	if (sc->rf_rev == RT2860_RF_2750 || sc->rf_rev == RT2860_RF_2850)
-		setbit(&bands, IEEE80211_MODE_11A);
-	ieee80211_init_channels(ic, NULL, &bands);
+		setbit(bands, IEEE80211_MODE_11A);
+	ieee80211_init_channels(ic, NULL, bands);
 
 	ieee80211_ifattach(ic);
 

sys/dev/rtwn/if_rtwn.c

@@ -251,7 +251,7 @@ rtwn_attach(device_t dev)
 	struct rtwn_softc *sc = device_get_softc(dev);
 	struct ieee80211com *ic = &sc->sc_ic;
 	uint32_t lcsr;
-	uint8_t bands;
+	uint8_t bands[howmany(IEEE80211_MODE_MAX, 8)];
 	int i, count, error, rid;
 
 	sc->sc_dev = dev;
@@ -353,10 +353,10 @@ rtwn_attach(device_t dev)
 		| IEEE80211_C_WME		/* 802.11e */
 		;
 
-	bands = 0;
-	setbit(&bands, IEEE80211_MODE_11B);
-	setbit(&bands, IEEE80211_MODE_11G);
-	ieee80211_init_channels(ic, NULL, &bands);
+	memset(bands, 0, sizeof(bands));
+	setbit(bands, IEEE80211_MODE_11B);
+	setbit(bands, IEEE80211_MODE_11G);
+	ieee80211_init_channels(ic, NULL, bands);
 
 	ieee80211_ifattach(ic);
 

sys/dev/usb/wlan/if_rsu.c

@@ -403,7 +403,8 @@ rsu_attach(device_t self)
 	struct rsu_softc *sc = device_get_softc(self);
 	struct ieee80211com *ic = &sc->sc_ic;
 	int error;
-	uint8_t iface_index, bands;
+	uint8_t bands[howmany(IEEE80211_MODE_MAX, 8)];
+	uint8_t iface_index;
 	struct usb_interface *iface;
 	const char *rft;
 
@@ -531,12 +532,12 @@ rsu_attach(device_t self)
 	}
 
 	/* Set supported .11b and .11g rates. */
-	bands = 0;
-	setbit(&bands, IEEE80211_MODE_11B);
-	setbit(&bands, IEEE80211_MODE_11G);
+	memset(bands, 0, sizeof(bands));
+	setbit(bands, IEEE80211_MODE_11B);
+	setbit(bands, IEEE80211_MODE_11G);
 	if (sc->sc_ht)
-		setbit(&bands, IEEE80211_MODE_11NG);
-	ieee80211_init_channels(ic, NULL, &bands);
+		setbit(bands, IEEE80211_MODE_11NG);
+	ieee80211_init_channels(ic, NULL, bands);
 
 	ieee80211_ifattach(ic);
 	ic->ic_raw_xmit = rsu_raw_xmit;

sys/dev/usb/wlan/if_rum.c

@@ -468,8 +468,9 @@ rum_attach(device_t self)
 	struct usb_attach_arg *uaa = device_get_ivars(self);
 	struct rum_softc *sc = device_get_softc(self);
 	struct ieee80211com *ic = &sc->sc_ic;
-	uint8_t iface_index, bands;
 	uint32_t tmp;
+	uint8_t bands[howmany(IEEE80211_MODE_MAX, 8)];
+	uint8_t iface_index;
 	int error, ntries;
 
 	device_set_usb_desc(self);
@@ -537,12 +538,12 @@ rum_attach(device_t self)
 	    IEEE80211_CRYPTO_TKIPMIC |
 	    IEEE80211_CRYPTO_TKIP;
 
-	bands = 0;
-	setbit(&bands, IEEE80211_MODE_11B);
-	setbit(&bands, IEEE80211_MODE_11G);
+	memset(bands, 0, sizeof(bands));
+	setbit(bands, IEEE80211_MODE_11B);
+	setbit(bands, IEEE80211_MODE_11G);
 	if (sc->rf_rev == RT2573_RF_5225 || sc->rf_rev == RT2573_RF_5226)
-		setbit(&bands, IEEE80211_MODE_11A);
-	ieee80211_init_channels(ic, NULL, &bands);
+		setbit(bands, IEEE80211_MODE_11A);
+	ieee80211_init_channels(ic, NULL, bands);
 
 	ieee80211_ifattach(ic);
 	ic->ic_update_promisc = rum_update_promisc;

sys/dev/usb/wlan/if_run.c

@@ -704,8 +704,9 @@ run_attach(device_t self)
 	struct usb_attach_arg *uaa = device_get_ivars(self);
 	struct ieee80211com *ic = &sc->sc_ic;
 	uint32_t ver;
+	uint8_t bands[howmany(IEEE80211_MODE_MAX, 8)];
+	uint8_t iface_index;
 	int ntries, error;
-	uint8_t iface_index, bands;
 
 	device_set_usb_desc(self);
 	sc->sc_udev = uaa->device;
@@ -785,14 +786,14 @@ run_attach(device_t self)
 	ic->ic_flags |= IEEE80211_F_DATAPAD;
 	ic->ic_flags_ext |= IEEE80211_FEXT_SWBMISS;
 
-	bands = 0;
-	setbit(&bands, IEEE80211_MODE_11B);
-	setbit(&bands, IEEE80211_MODE_11G);
+	memset(bands, 0, sizeof(bands));
+	setbit(bands, IEEE80211_MODE_11B);
+	setbit(bands, IEEE80211_MODE_11G);
 	if (sc->rf_rev == RT2860_RF_2750 || sc->rf_rev == RT2860_RF_2850 ||
 	    sc->rf_rev == RT3070_RF_3052 || sc->rf_rev == RT3593_RF_3053 ||
 	    sc->rf_rev == RT5592_RF_5592)
-		setbit(&bands, IEEE80211_MODE_11A);
-	ieee80211_init_channels(ic, NULL, &bands);
+		setbit(bands, IEEE80211_MODE_11A);
+	ieee80211_init_channels(ic, NULL, bands);
 
 	ieee80211_ifattach(ic);
 

sys/dev/usb/wlan/if_uath.c

@@ -328,7 +328,8 @@ uath_attach(device_t dev)
 	struct uath_softc *sc = device_get_softc(dev);
 	struct usb_attach_arg *uaa = device_get_ivars(dev);
 	struct ieee80211com *ic = &sc->sc_ic;
-	uint8_t bands, iface_index = UATH_IFACE_INDEX;		/* XXX */
+	uint8_t bands[howmany(IEEE80211_MODE_MAX, 8)];
+	uint8_t iface_index = UATH_IFACE_INDEX;		/* XXX */
 	usb_error_t error;
 
 	sc->sc_dev = dev;
@@ -431,13 +432,13 @@ uath_attach(device_t dev)
 	/* put a regulatory domain to reveal informations.  */
 	uath_regdomain = sc->sc_devcap.regDomain;
 
-	bands = 0;
-	setbit(&bands, IEEE80211_MODE_11B);
-	setbit(&bands, IEEE80211_MODE_11G);
+	memset(bands, 0, sizeof(bands));
+	setbit(bands, IEEE80211_MODE_11B);
+	setbit(bands, IEEE80211_MODE_11G);
 	if ((sc->sc_devcap.analog5GhzRevision & 0xf0) == 0x30)
-		setbit(&bands, IEEE80211_MODE_11A);
+		setbit(bands, IEEE80211_MODE_11A);
 	/* XXX turbo */
-	ieee80211_init_channels(ic, NULL, &bands);
+	ieee80211_init_channels(ic, NULL, bands);
 
 	ieee80211_ifattach(ic);
 	ic->ic_raw_xmit = uath_raw_xmit;

sys/dev/usb/wlan/if_upgt.c

@@ -243,7 +243,8 @@ upgt_attach(device_t dev)
 	struct upgt_softc *sc = device_get_softc(dev);
 	struct ieee80211com *ic = &sc->sc_ic;
 	struct usb_attach_arg *uaa = device_get_ivars(dev);
-	uint8_t bands, iface_index = UPGT_IFACE_INDEX;
+	uint8_t bands[howmany(IEEE80211_MODE_MAX, 8)];
+	uint8_t iface_index = UPGT_IFACE_INDEX;
 	int error;
 
 	sc->sc_dev = dev;
@@ -337,10 +338,10 @@ upgt_attach(device_t dev)
 	        | IEEE80211_C_WPA		/* 802.11i */
 		;
 
-	bands = 0;
-	setbit(&bands, IEEE80211_MODE_11B);
-	setbit(&bands, IEEE80211_MODE_11G);
-	ieee80211_init_channels(ic, NULL, &bands);
+	memset(bands, 0, sizeof(bands));
+	setbit(bands, IEEE80211_MODE_11B);
+	setbit(bands, IEEE80211_MODE_11G);
+	ieee80211_init_channels(ic, NULL, bands);
 
 	ieee80211_ifattach(ic);
 	ic->ic_raw_xmit = upgt_raw_xmit;

sys/dev/usb/wlan/if_ural.c

@@ -424,7 +424,8 @@ ural_attach(device_t self)
 	struct usb_attach_arg *uaa = device_get_ivars(self);
 	struct ural_softc *sc = device_get_softc(self);
 	struct ieee80211com *ic = &sc->sc_ic;
-	uint8_t iface_index, bands;
+	uint8_t bands[howmany(IEEE80211_MODE_MAX, 8)];
+	uint8_t iface_index;
 	int error;
 
 	device_set_usb_desc(self);
@@ -473,12 +474,12 @@ ural_attach(device_t self)
 	    | IEEE80211_C_WPA		/* 802.11i */
 	    ;
 
-	bands = 0;
-	setbit(&bands, IEEE80211_MODE_11B);
-	setbit(&bands, IEEE80211_MODE_11G);
+	memset(bands, 0, sizeof(bands));
+	setbit(bands, IEEE80211_MODE_11B);
+	setbit(bands, IEEE80211_MODE_11G);
 	if (sc->rf_rev == RAL_RF_5222)
-		setbit(&bands, IEEE80211_MODE_11A);
-	ieee80211_init_channels(ic, NULL, &bands);
+		setbit(bands, IEEE80211_MODE_11A);
+	ieee80211_init_channels(ic, NULL, bands);
 
 	ieee80211_ifattach(ic);
 	ic->ic_update_promisc = ural_update_promisc;

sys/dev/usb/wlan/if_urtw.c

@@ -785,7 +785,8 @@ urtw_attach(device_t dev)
 	struct urtw_softc *sc = device_get_softc(dev);
 	struct usb_attach_arg *uaa = device_get_ivars(dev);
 	struct ieee80211com *ic = &sc->sc_ic;
-	uint8_t bands, iface_index = URTW_IFACE_INDEX;		/* XXX */
+	uint8_t bands[howmany(IEEE80211_MODE_MAX, 8)];
+	uint8_t iface_index = URTW_IFACE_INDEX;		/* XXX */
 	uint16_t n_setup;
 	uint32_t data;
 	usb_error_t error;
@@ -876,10 +877,10 @@ urtw_attach(device_t dev)
 	    IEEE80211_C_BGSCAN |	/* capable of bg scanning */
 	    IEEE80211_C_WPA;		/* 802.11i */
 
-	bands = 0;
-	setbit(&bands, IEEE80211_MODE_11B);
-	setbit(&bands, IEEE80211_MODE_11G);
-	ieee80211_init_channels(ic, NULL, &bands);
+	memset(bands, 0, sizeof(bands));
+	setbit(bands, IEEE80211_MODE_11B);
+	setbit(bands, IEEE80211_MODE_11G);
+	ieee80211_init_channels(ic, NULL, bands);
 
 	ieee80211_ifattach(ic);
 	ic->ic_raw_xmit = urtw_raw_xmit;

sys/dev/usb/wlan/if_urtwn.c

@@ -439,7 +439,7 @@ urtwn_attach(device_t self)
 	struct usb_attach_arg *uaa = device_get_ivars(self);
 	struct urtwn_softc *sc = device_get_softc(self);
 	struct ieee80211com *ic = &sc->sc_ic;
-	uint8_t bands;
+	uint8_t bands[howmany(IEEE80211_MODE_MAX, 8)];
 	int error;
 
 	device_set_usb_desc(self);
@@ -525,10 +525,10 @@ urtwn_attach(device_t self)
 	    IEEE80211_CRYPTO_TKIP |
 	    IEEE80211_CRYPTO_AES_CCM;
 
-	bands = 0;
-	setbit(&bands, IEEE80211_MODE_11B);
-	setbit(&bands, IEEE80211_MODE_11G);
-	ieee80211_init_channels(ic, NULL, &bands);
+	memset(bands, 0, sizeof(bands));
+	setbit(bands, IEEE80211_MODE_11B);
+	setbit(bands, IEEE80211_MODE_11G);
+	ieee80211_init_channels(ic, NULL, bands);
 
 	ieee80211_ifattach(ic);
 	ic->ic_raw_xmit = urtwn_raw_xmit;

sys/dev/usb/wlan/if_zyd.c

@@ -334,7 +334,8 @@ zyd_attach(device_t dev)
 	struct usb_attach_arg *uaa = device_get_ivars(dev);
 	struct zyd_softc *sc = device_get_softc(dev);
 	struct ieee80211com *ic = &sc->sc_ic;
-	uint8_t iface_index, bands;
+	uint8_t bands[howmany(IEEE80211_MODE_MAX, 8)];
+	uint8_t iface_index;
 	int error;
 
 	if (uaa->info.bcdDevice < 0x4330) {
@@ -387,10 +388,10 @@ zyd_attach(device_t dev)
 	        | IEEE80211_C_WPA		/* 802.11i */
 		;
 
-	bands = 0;
-	setbit(&bands, IEEE80211_MODE_11B);
-	setbit(&bands, IEEE80211_MODE_11G);
-	ieee80211_init_channels(ic, NULL, &bands);
+	memset(bands, 0, sizeof(bands));
+	setbit(bands, IEEE80211_MODE_11B);
+	setbit(bands, IEEE80211_MODE_11G);
+	ieee80211_init_channels(ic, NULL, bands);
 
 	ieee80211_ifattach(ic);
 	ic->ic_raw_xmit = zyd_raw_xmit;