aboutsummaryrefslogtreecommitdiffstats
path: root/net/mac80211
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2009-03-13 07:59:39 -0400
committerJohn W. Linville <linville@tuxdriver.com>2009-03-16 18:01:59 -0400
commit055249d20de06c290fe7625be0a7164bef3958f5 (patch)
tree01e03e8e32022dc01400f51befb8c843f4ea1bad /net/mac80211
parent5ec905a8df3fa877566ba98298433fbfb3d688cc (diff)
mac80211: Fix panic on fragmentation with power saving
It was possible to hit a kernel panic on NULL pointer dereference in dev_queue_xmit() when sending power save buffered frames to a STA that woke up from sleep. This happened when the buffered frame was requeued for transmission in ap_sta_ps_end(). In order to avoid the panic, copy the skb->dev and skb->iif values from the first fragment to all other fragments. Signed-off-by: Jouni Malinen <jouni.malinen@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'net/mac80211')
-rw-r--r--net/mac80211/tx.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 94de5033f0b6..37e3d5ef7e3f 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -752,6 +752,8 @@ ieee80211_tx_h_fragment(struct ieee80211_tx_data *tx)
752 skb_copy_queue_mapping(frag, first); 752 skb_copy_queue_mapping(frag, first);
753 753
754 frag->do_not_encrypt = first->do_not_encrypt; 754 frag->do_not_encrypt = first->do_not_encrypt;
755 frag->dev = first->dev;
756 frag->iif = first->iif;
755 757
756 pos += copylen; 758 pos += copylen;
757 left -= copylen; 759 left -= copylen;