Dan found a check from ath6kl_rx() which doesn't make any sense at all:
" 1327 if (status || !(skb->data + HTC_HDR_LENGTH)) {
^^^^^^^^^^^^^^^^^^^^^^^^^^
skb->data is a pointer. This pointer math is always going to be false.
Should it be testing "packet->act_len < HTC_HDR_LENGTH" or something?"
I don't know what the check really was supposed to do, but I think Dan's guess
is right. Fix it accordingly.
Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Signed-off-by: Kalle Valo <kvalo@xxxxxxxxxxxxxxxx>
---
drivers/net/wireless/ath/ath6kl/txrx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath6kl/txrx.c b/drivers/net/wireless/ath/ath6kl/txrx.c
index 43dbdaa..ebb2404 100644
--- a/drivers/net/wireless/ath/ath6kl/txrx.c
+++ b/drivers/net/wireless/ath/ath6kl/txrx.c
@@ -1327,7 +1327,7 @@ void ath6kl_rx(struct htc_target *target, struct htc_packet *packet)
__func__, ar, ept, skb, packet->buf,
packet->act_len, status);
- if (status || !(skb->data + HTC_HDR_LENGTH)) {
+ if (status || packet->act_len < HTC_HDR_LENGTH) {
dev_kfree_skb(skb);
return;
}
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
