summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorYoni Divinsky <yoni.divinsky@ti.com>2012-01-16 17:18:59 +0400
committerJohn W. Linville <linville@tuxdriver.com>2012-01-17 00:01:16 +0400
commitd32a102819eef99d4d87019266bea208447be0a0 (patch)
treeff6484ac0f843dc48c24db2604bfbef1424967e0
parent331d9301ed4d0fe33e9762c62f2870243bcf77eb (diff)
downloadlinux-d32a102819eef99d4d87019266bea208447be0a0.tar.xz
mac80211: fix tx->skb NULL pointer dereference
In function ieee80211_tx_h_encrypt the var info was initialized from tx->skb, since the fucntion is called after the function ieee80211_tx_h_fragment tx->skb is not valid anymore. Signed-off-by: Yoni Divinsky <yoni.divinsky@ti.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r--net/mac80211/tx.c10
-rw-r--r--net/mac80211/wpa.c19
-rw-r--r--net/mac80211/wpa.h2
3 files changed, 22 insertions, 9 deletions
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index edcd1c7ab83f..e05667cd5e76 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1001,8 +1001,6 @@ ieee80211_tx_h_stats(struct ieee80211_tx_data *tx)
static ieee80211_tx_result debug_noinline
ieee80211_tx_h_encrypt(struct ieee80211_tx_data *tx)
{
- struct ieee80211_tx_info *info = IEEE80211_SKB_CB(tx->skb);
-
if (!tx->key)
return TX_CONTINUE;
@@ -1017,13 +1015,7 @@ ieee80211_tx_h_encrypt(struct ieee80211_tx_data *tx)
case WLAN_CIPHER_SUITE_AES_CMAC:
return ieee80211_crypto_aes_cmac_encrypt(tx);
default:
- /* handle hw-only algorithm */
- if (info->control.hw_key) {
- ieee80211_tx_set_protected(tx);
- return TX_CONTINUE;
- }
- break;
-
+ return ieee80211_crypto_hw_encrypt(tx);
}
return TX_DROP;
diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c
index 422b79851ec5..b758350919ff 100644
--- a/net/mac80211/wpa.c
+++ b/net/mac80211/wpa.c
@@ -643,3 +643,22 @@ ieee80211_crypto_aes_cmac_decrypt(struct ieee80211_rx_data *rx)
return RX_CONTINUE;
}
+
+ieee80211_tx_result
+ieee80211_crypto_hw_encrypt(struct ieee80211_tx_data *tx)
+{
+ struct sk_buff *skb;
+ struct ieee80211_tx_info *info = NULL;
+
+ skb_queue_walk(&tx->skbs, skb) {
+ info = IEEE80211_SKB_CB(skb);
+
+ /* handle hw-only algorithm */
+ if (!info->control.hw_key)
+ return TX_DROP;
+ }
+
+ ieee80211_tx_set_protected(tx);
+
+ return TX_CONTINUE;
+}
diff --git a/net/mac80211/wpa.h b/net/mac80211/wpa.h
index baba0608313e..07e33f899c71 100644
--- a/net/mac80211/wpa.h
+++ b/net/mac80211/wpa.h
@@ -32,5 +32,7 @@ ieee80211_tx_result
ieee80211_crypto_aes_cmac_encrypt(struct ieee80211_tx_data *tx);
ieee80211_rx_result
ieee80211_crypto_aes_cmac_decrypt(struct ieee80211_rx_data *rx);
+ieee80211_tx_result
+ieee80211_crypto_hw_encrypt(struct ieee80211_tx_data *tx);
#endif /* WPA_H */