In ieee80211_xmit_fast_finish(), there is an if statement on line 3356 to check whether key is NULL: if (key) When key is NULL, it is used on line 3388: switch (key->conf.cipher) and line 3393: pn = atomic64_inc_return(&key->conf.tx_pn); and line 3396: crypto_hdr[3] = 0x20 | (key->conf.keyidx << 6); Thus, possible null-pointer dereferences may occur. To fix these bugs, key is checked on line 3384. These bugs are found by a static analysis tool STCheck written by us. Signed-off-by: Jia-Ju Bai <baijiaju1990@xxxxxxxxx> --- net/mac80211/tx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c index f13eb2f61ccf..2cc261165b91 100644 --- a/net/mac80211/tx.c +++ b/net/mac80211/tx.c @@ -3381,7 +3381,7 @@ static void ieee80211_xmit_fast_finish(struct ieee80211_sub_if_data *sdata, sta->tx_stats.bytes[skb_get_queue_mapping(skb)] += skb->len; sta->tx_stats.packets[skb_get_queue_mapping(skb)]++; - if (pn_offs) { + if (key && pn_offs) { u64 pn; u8 *crypto_hdr = skb->data + pn_offs; -- 2.17.0