Probe responses shouldn't be encrypted, and mac80211 doesn't set the crypto key accordingly. However it didn't set the IEEE80211_TX_CTL_DO_NOT_ENCRYPT flag which means drivers could make an attempt to encrypt it, and causing a NULL pointer dereference when accessing the provided hw_key field. Signed-off-by: Ivo van Doorn <IvDoorn@xxxxxxxxx> --- diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c index 7b4d4d4..fd28cd8 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c @@ -2531,6 +2531,7 @@ static int ieee80211_sta_join_ibss(struct net_device *dev, control->flags |= IEEE80211_TX_CTL_SHORT_PREAMBLE; control->antenna_sel_tx = local->hw.conf.antenna_sel_tx; control->flags |= IEEE80211_TX_CTL_NO_ACK; + control->flags |= IEEE80211_TX_CTL_DO_NOT_ENCRYPT; control->control.retry_limit = 1; ifsta->probe_resp = skb_copy(skb, GFP_ATOMIC); -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
