aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/net/wireless
diff options
context:
space:
mode:
authorFelix Fietkau <nbd@openwrt.org>2008-10-14 17:57:43 -0400
committerJohn W. Linville <linville@tuxdriver.com>2008-10-14 21:12:39 -0400
commit8713a7ccd88d93d9f8a72436088d6627c82490db (patch)
tree9cca393d207ed193e28d7cf40da706b88c571bf4 /drivers/net/wireless
parenteaca90dab6ab9853223029deffdd226f41b2028c (diff)
rt2x00: fix regression introduced by "mac80211: free up 2 bytes in skb->cb"
The hw_key pointer is used (and obviously NULL) after skb->cb is memset to 0. This patch grabs the iv_len before the memset call. Signed-off-by: Felix Fietkau <nbd@openwrt.org> Signed-off-by: Stephen Blackheath <tramp.enshrine.stephen@blacksapphire.com> Acked-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers/net/wireless')
-rw-r--r--drivers/net/wireless/rt2x00/rt2x00queue.c9
1 files changed, 5 insertions, 4 deletions
diff --git a/drivers/net/wireless/rt2x00/rt2x00queue.c b/drivers/net/wireless/rt2x00/rt2x00queue.c
index 1676ac484790..451d410ecdae 100644
--- a/drivers/net/wireless/rt2x00/rt2x00queue.c
+++ b/drivers/net/wireless/rt2x00/rt2x00queue.c
@@ -374,7 +374,7 @@ int rt2x00queue_write_tx_frame(struct data_queue *queue, struct sk_buff *skb)
374 struct queue_entry *entry = rt2x00queue_get_entry(queue, Q_INDEX); 374 struct queue_entry *entry = rt2x00queue_get_entry(queue, Q_INDEX);
375 struct txentry_desc txdesc; 375 struct txentry_desc txdesc;
376 struct skb_frame_desc *skbdesc; 376 struct skb_frame_desc *skbdesc;
377 unsigned int iv_len; 377 unsigned int iv_len = 0;
378 378
379 if (unlikely(rt2x00queue_full(queue))) 379 if (unlikely(rt2x00queue_full(queue)))
380 return -EINVAL; 380 return -EINVAL;
@@ -395,6 +395,9 @@ int rt2x00queue_write_tx_frame(struct data_queue *queue, struct sk_buff *skb)
395 entry->skb = skb; 395 entry->skb = skb;
396 rt2x00queue_create_tx_descriptor(entry, &txdesc); 396 rt2x00queue_create_tx_descriptor(entry, &txdesc);
397 397
398 if (IEEE80211_SKB_CB(skb)->control.hw_key != NULL)
399 iv_len = IEEE80211_SKB_CB(skb)->control.hw_key->iv_len;
400
398 /* 401 /*
399 * All information is retreived from the skb->cb array, 402 * All information is retreived from the skb->cb array,
400 * now we should claim ownership of the driver part of that 403 * now we should claim ownership of the driver part of that
@@ -410,9 +413,7 @@ int rt2x00queue_write_tx_frame(struct data_queue *queue, struct sk_buff *skb)
410 * the frame so we can provide it to the driver seperately. 413 * the frame so we can provide it to the driver seperately.
411 */ 414 */
412 if (test_bit(ENTRY_TXD_ENCRYPT, &txdesc.flags) && 415 if (test_bit(ENTRY_TXD_ENCRYPT, &txdesc.flags) &&
413 !test_bit(ENTRY_TXD_ENCRYPT_IV, &txdesc.flags) && 416 !test_bit(ENTRY_TXD_ENCRYPT_IV, &txdesc.flags)) {
414 (IEEE80211_SKB_CB(skb)->control.hw_key != NULL)) {
415 iv_len = IEEE80211_SKB_CB(skb)->control.hw_key->iv_len;
416 rt2x00crypto_tx_remove_iv(skb, iv_len); 417 rt2x00crypto_tx_remove_iv(skb, iv_len);
417 } 418 }
418 419