提交 d32a1028 编写于 作者: Y Yoni Divinsky 提交者: John W. Linville

mac80211: fix tx->skb NULL pointer dereference

In function ieee80211_tx_h_encrypt the var info was
initialized from tx->skb, since the fucntion
is called after the function ieee80211_tx_h_fragment
tx->skb is not valid anymore.
Signed-off-by: NYoni Divinsky <yoni.divinsky@ti.com>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
上级 331d9301
......@@ -1001,8 +1001,6 @@ ieee80211_tx_h_stats(struct ieee80211_tx_data *tx)
static ieee80211_tx_result debug_noinline
ieee80211_tx_h_encrypt(struct ieee80211_tx_data *tx)
{
struct ieee80211_tx_info *info = IEEE80211_SKB_CB(tx->skb);
if (!tx->key)
return TX_CONTINUE;
......@@ -1017,13 +1015,7 @@ ieee80211_tx_h_encrypt(struct ieee80211_tx_data *tx)
case WLAN_CIPHER_SUITE_AES_CMAC:
return ieee80211_crypto_aes_cmac_encrypt(tx);
default:
/* handle hw-only algorithm */
if (info->control.hw_key) {
ieee80211_tx_set_protected(tx);
return TX_CONTINUE;
}
break;
return ieee80211_crypto_hw_encrypt(tx);
}
return TX_DROP;
......
......@@ -643,3 +643,22 @@ ieee80211_crypto_aes_cmac_decrypt(struct ieee80211_rx_data *rx)
return RX_CONTINUE;
}
ieee80211_tx_result
ieee80211_crypto_hw_encrypt(struct ieee80211_tx_data *tx)
{
struct sk_buff *skb;
struct ieee80211_tx_info *info = NULL;
skb_queue_walk(&tx->skbs, skb) {
info = IEEE80211_SKB_CB(skb);
/* handle hw-only algorithm */
if (!info->control.hw_key)
return TX_DROP;
}
ieee80211_tx_set_protected(tx);
return TX_CONTINUE;
}
......@@ -32,5 +32,7 @@ ieee80211_tx_result
ieee80211_crypto_aes_cmac_encrypt(struct ieee80211_tx_data *tx);
ieee80211_rx_result
ieee80211_crypto_aes_cmac_decrypt(struct ieee80211_rx_data *rx);
ieee80211_tx_result
ieee80211_crypto_hw_encrypt(struct ieee80211_tx_data *tx);
#endif /* WPA_H */
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册