tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
mac80211: fix tx->skb NULL pointer dereference
In function ieee80211_tx_h_encrypt the var info was
initialized from tx->skb, since the fucntion
is called after the function ieee80211_tx_h_fragment
tx->skb is not valid anymore.
Signed-off-by: Yoni Divinsky <yoni.divinsky@ti.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
authored by
Yoni Divinsky
and committed by
John W. Linville
d32a1028
331d9301
+22
-9
+1
-9
net/mac80211/tx.c
+1
-9
net/mac80211/tx.c
···
1001
1001
static ieee80211_tx_result debug_noinline
1002
1002
ieee80211_tx_h_encrypt(struct ieee80211_tx_data *tx)
1003
1003
{
1004
-
struct ieee80211_tx_info *info = IEEE80211_SKB_CB(tx->skb);
1005
-
1006
1004
if (!tx->key)
1007
1005
return TX_CONTINUE;
1008
1006
···
1015
1017
case WLAN_CIPHER_SUITE_AES_CMAC:
1016
1018
return ieee80211_crypto_aes_cmac_encrypt(tx);
1017
1019
default:
1018
-
/* handle hw-only algorithm */
1019
-
if (info->control.hw_key) {
1020
-
ieee80211_tx_set_protected(tx);
1021
-
return TX_CONTINUE;
1022
-
}
1023
-
break;
1024
-
1020
+
return ieee80211_crypto_hw_encrypt(tx);
1025
1021
}
1026
1022
1027
1023
return TX_DROP;
+19
net/mac80211/wpa.c
+19
net/mac80211/wpa.c
···
643
643
644
644
return RX_CONTINUE;
645
645
}
646
+
647
+
ieee80211_tx_result
648
+
ieee80211_crypto_hw_encrypt(struct ieee80211_tx_data *tx)
649
+
{
650
+
struct sk_buff *skb;
651
+
struct ieee80211_tx_info *info = NULL;
652
+
653
+
skb_queue_walk(&tx->skbs, skb) {
654
+
info = IEEE80211_SKB_CB(skb);
655
+
656
+
/* handle hw-only algorithm */
657
+
if (!info->control.hw_key)
658
+
return TX_DROP;
659
+
}
660
+
661
+
ieee80211_tx_set_protected(tx);
662
+
663
+
return TX_CONTINUE;
664
+
}
+2
net/mac80211/wpa.h
+2
net/mac80211/wpa.h