mac80211_hwsim: Fix NULL pointer dereference

mac80211_hwsim was crashing when receiving tx information from user space. Crash happens because txi->rate_driver_data[0] is pointing to a non valid memory address. This code path is only used by wmediumd and wmediumd doesn't provide multiple channel support, so we can pass the channel struct (data2->channel) directly to mac80211_hwsim_monitor_ack function. Signed-off-by: N Javier Lopez <jlopex@cozybit.com> Signed-off-by: N Johannes Berg <johannes.berg@intel.com>

mac80211_hwsim: Fix NULL pointer dereference
mac80211_hwsim was crashing when receiving tx information from user space. Crash happens because txi->rate_driver_data[0] is pointing to a non valid memory address. This code path is only used by wmediumd and wmediumd doesn't provide multiple channel support, so we can pass the channel struct (data2->channel) directly to mac80211_hwsim_monitor_ack function. Signed-off-by: N Javier Lopez <jlopex@cozybit.com> Signed-off-by: N Johannes Berg <johannes.berg@intel.com>
c0e30763 · Javier Lopez · Johannes Berg · bd02cd25 · c0e30763
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

drivers/net/wireless/mac80211_hwsim.c drivers/net/wireless/mac80211_hwsim.c +1 -1

未找到文件。
--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -2011,7 +2011,7 @@ static int hwsim_tx_info_frame_received_nl(struct sk_buff *skb_2,
 	   (hwsim_flags & HWSIM_TX_STAT_ACK)) {
 		if (skb->len >= 16) {
 			hdr = (struct ieee80211_hdr *) skb->data;
-			mac80211_hwsim_monitor_ack(txi->rate_driver_data[0],
+			mac80211_hwsim_monitor_ack(data2->channel,
 						   hdr->addr2);
 		}
 		txi->flags |= IEEE80211_TX_STAT_ACK;