aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorZhu Yi <yi.zhu@intel.com>2006-11-12 22:32:50 -0500
committerJohn W. Linville <linville@tuxdriver.com>2006-11-14 19:31:48 -0500
commitefa53ebe0d2f50bf342eb1976824f59bba9941eb (patch)
tree41b68cfbf14a5540948df806c2a60999627a669c
parent0579e303553655245e8a6616bd8b4428b07d63a2 (diff)
[PATCH] ieee80211: Fix kernel panic when QoS is enabled
The 802.11 header length is affected by the wireless mode (WDS or not) and type (QoS or not). We should use the variable hdr_len instead of the hard coded IEEE80211_3ADDR_LEN, otherwise we may touch invalid memory. Signed-off-by: Zhu Yi <yi.zhu@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r--net/ieee80211/ieee80211_tx.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/net/ieee80211/ieee80211_tx.c b/net/ieee80211/ieee80211_tx.c
index ae254497ba3d..854fc13cd78d 100644
--- a/net/ieee80211/ieee80211_tx.c
+++ b/net/ieee80211/ieee80211_tx.c
@@ -390,7 +390,7 @@ int ieee80211_xmit(struct sk_buff *skb, struct net_device *dev)
390 * this stack is providing the full 802.11 header, one will 390 * this stack is providing the full 802.11 header, one will
391 * eventually be affixed to this fragment -- so we must account 391 * eventually be affixed to this fragment -- so we must account
392 * for it when determining the amount of payload space. */ 392 * for it when determining the amount of payload space. */
393 bytes_per_frag = frag_size - IEEE80211_3ADDR_LEN; 393 bytes_per_frag = frag_size - hdr_len;
394 if (ieee->config & 394 if (ieee->config &
395 (CFG_IEEE80211_COMPUTE_FCS | CFG_IEEE80211_RESERVE_FCS)) 395 (CFG_IEEE80211_COMPUTE_FCS | CFG_IEEE80211_RESERVE_FCS))
396 bytes_per_frag -= IEEE80211_FCS_LEN; 396 bytes_per_frag -= IEEE80211_FCS_LEN;
@@ -412,7 +412,7 @@ int ieee80211_xmit(struct sk_buff *skb, struct net_device *dev)
412 } else { 412 } else {
413 nr_frags = 1; 413 nr_frags = 1;
414 bytes_per_frag = bytes_last_frag = bytes; 414 bytes_per_frag = bytes_last_frag = bytes;
415 frag_size = bytes + IEEE80211_3ADDR_LEN; 415 frag_size = bytes + hdr_len;
416 } 416 }
417 417
418 rts_required = (frag_size > ieee->rts 418 rts_required = (frag_size > ieee->rts