diff options
| author | Yoni Divinsky <yoni.divinsky@ti.com> | 2012-01-16 08:18:59 -0500 |
|---|---|---|
| committer | John W. Linville <linville@tuxdriver.com> | 2012-01-16 15:01:16 -0500 |
| commit | d32a102819eef99d4d87019266bea208447be0a0 (patch) | |
| tree | ff6484ac0f843dc48c24db2604bfbef1424967e0 /net | |
| parent | 331d9301ed4d0fe33e9762c62f2870243bcf77eb (diff) | |
mac80211: fix tx->skb NULL pointer dereference
In function ieee80211_tx_h_encrypt the var info was
initialized from tx->skb, since the fucntion
is called after the function ieee80211_tx_h_fragment
tx->skb is not valid anymore.
Signed-off-by: Yoni Divinsky <yoni.divinsky@ti.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'net')
| -rw-r--r-- | net/mac80211/tx.c | 10 | ||||
| -rw-r--r-- | net/mac80211/wpa.c | 19 | ||||
| -rw-r--r-- | net/mac80211/wpa.h | 2 |
3 files changed, 22 insertions, 9 deletions
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c index edcd1c7ab83f..e05667cd5e76 100644 --- a/net/mac80211/tx.c +++ b/net/mac80211/tx.c | |||
| @@ -1001,8 +1001,6 @@ ieee80211_tx_h_stats(struct ieee80211_tx_data *tx) | |||
| 1001 | static ieee80211_tx_result debug_noinline | 1001 | static ieee80211_tx_result debug_noinline |
| 1002 | ieee80211_tx_h_encrypt(struct ieee80211_tx_data *tx) | 1002 | ieee80211_tx_h_encrypt(struct ieee80211_tx_data *tx) |
| 1003 | { | 1003 | { |
| 1004 | struct ieee80211_tx_info *info = IEEE80211_SKB_CB(tx->skb); | ||
| 1005 | |||
| 1006 | if (!tx->key) | 1004 | if (!tx->key) |
| 1007 | return TX_CONTINUE; | 1005 | return TX_CONTINUE; |
| 1008 | 1006 | ||
| @@ -1017,13 +1015,7 @@ ieee80211_tx_h_encrypt(struct ieee80211_tx_data *tx) | |||
| 1017 | case WLAN_CIPHER_SUITE_AES_CMAC: | 1015 | case WLAN_CIPHER_SUITE_AES_CMAC: |
| 1018 | return ieee80211_crypto_aes_cmac_encrypt(tx); | 1016 | return ieee80211_crypto_aes_cmac_encrypt(tx); |
| 1019 | default: | 1017 | default: |
| 1020 | /* handle hw-only algorithm */ | 1018 | return ieee80211_crypto_hw_encrypt(tx); |
| 1021 | if (info->control.hw_key) { | ||
| 1022 | ieee80211_tx_set_protected(tx); | ||
| 1023 | return TX_CONTINUE; | ||
| 1024 | } | ||
| 1025 | break; | ||
| 1026 | |||
| 1027 | } | 1019 | } |
| 1028 | 1020 | ||
| 1029 | return TX_DROP; | 1021 | return TX_DROP; |
diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c index 422b79851ec5..b758350919ff 100644 --- a/net/mac80211/wpa.c +++ b/net/mac80211/wpa.c | |||
| @@ -643,3 +643,22 @@ ieee80211_crypto_aes_cmac_decrypt(struct ieee80211_rx_data *rx) | |||
| 643 | 643 | ||
| 644 | return RX_CONTINUE; | 644 | return RX_CONTINUE; |
| 645 | } | 645 | } |
| 646 | |||
| 647 | ieee80211_tx_result | ||
| 648 | ieee80211_crypto_hw_encrypt(struct ieee80211_tx_data *tx) | ||
| 649 | { | ||
| 650 | struct sk_buff *skb; | ||
| 651 | struct ieee80211_tx_info *info = NULL; | ||
| 652 | |||
| 653 | skb_queue_walk(&tx->skbs, skb) { | ||
| 654 | info = IEEE80211_SKB_CB(skb); | ||
| 655 | |||
| 656 | /* handle hw-only algorithm */ | ||
| 657 | if (!info->control.hw_key) | ||
| 658 | return TX_DROP; | ||
| 659 | } | ||
| 660 | |||
| 661 | ieee80211_tx_set_protected(tx); | ||
| 662 | |||
| 663 | return TX_CONTINUE; | ||
| 664 | } | ||
diff --git a/net/mac80211/wpa.h b/net/mac80211/wpa.h index baba0608313e..07e33f899c71 100644 --- a/net/mac80211/wpa.h +++ b/net/mac80211/wpa.h | |||
| @@ -32,5 +32,7 @@ ieee80211_tx_result | |||
| 32 | ieee80211_crypto_aes_cmac_encrypt(struct ieee80211_tx_data *tx); | 32 | ieee80211_crypto_aes_cmac_encrypt(struct ieee80211_tx_data *tx); |
| 33 | ieee80211_rx_result | 33 | ieee80211_rx_result |
| 34 | ieee80211_crypto_aes_cmac_decrypt(struct ieee80211_rx_data *rx); | 34 | ieee80211_crypto_aes_cmac_decrypt(struct ieee80211_rx_data *rx); |
| 35 | ieee80211_tx_result | ||
| 36 | ieee80211_crypto_hw_encrypt(struct ieee80211_tx_data *tx); | ||
| 35 | 37 | ||
| 36 | #endif /* WPA_H */ | 38 | #endif /* WPA_H */ |