From d7ea3be56adc95b17351221fd95e78115f3b01f4 Mon Sep 17 00:00:00 2001
From: Brandon Craig Rhodes <brandon@rhodesmill.org>
Date: Mon, 28 May 2007 09:38:46 -0700
Subject: [PATCH] hostap: Allocate enough tailroom for TKIP

When hostap_tx_encrypt() tries to allocate enough headroom and
tailroom for ieee80211 encryption, it only makes enough room for the
"mpdu" phase of the operation, but forgets about the "msdu" phase.
(For TKIP, these two phases require, respectively, 4 and 8 bytes of
tailroom, per the "ieee80211_crypt_tkip" structure at the bottom of
net/ieee80211/ieee80211_crypt_tkip.c.)

Signed-off-by: Brandon Craig Rhodes <brandon@rhodesmill.org>
Signed-off-by: Jouni Malinen <j@w1.fi>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
---
 drivers/net/wireless/hostap/hostap_80211_tx.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

(limited to 'drivers/net/wireless/hostap')

diff --git a/drivers/net/wireless/hostap/hostap_80211_tx.c b/drivers/net/wireless/hostap/hostap_80211_tx.c
index 246fac0e8001..3df3c60263d4 100644
--- a/drivers/net/wireless/hostap/hostap_80211_tx.c
+++ b/drivers/net/wireless/hostap/hostap_80211_tx.c
@@ -311,7 +311,7 @@ static struct sk_buff * hostap_tx_encrypt(struct sk_buff *skb,
 	local_info_t *local;
 	struct ieee80211_hdr_4addr *hdr;
 	u16 fc;
-	int hdr_len, res;
+	int prefix_len, postfix_len, hdr_len, res;
 
 	iface = netdev_priv(skb->dev);
 	local = iface->local;
@@ -337,10 +337,13 @@ static struct sk_buff * hostap_tx_encrypt(struct sk_buff *skb,
 	if (skb == NULL)
 		return NULL;
 
-	if ((skb_headroom(skb) < crypt->ops->extra_mpdu_prefix_len ||
-	     skb_tailroom(skb) < crypt->ops->extra_mpdu_postfix_len) &&
-	    pskb_expand_head(skb, crypt->ops->extra_mpdu_prefix_len,
-			     crypt->ops->extra_mpdu_postfix_len, GFP_ATOMIC)) {
+	prefix_len = crypt->ops->extra_mpdu_prefix_len +
+		crypt->ops->extra_msdu_prefix_len;
+	postfix_len = crypt->ops->extra_mpdu_postfix_len +
+		crypt->ops->extra_msdu_postfix_len;
+	if ((skb_headroom(skb) < prefix_len ||
+	     skb_tailroom(skb) < postfix_len) &&
+	    pskb_expand_head(skb, prefix_len, postfix_len, GFP_ATOMIC)) {
 		kfree_skb(skb);
 		return NULL;
 	}
-- 
cgit v1.2.3