On Tue, 2008-10-14 at 23:57 +0200, Felix Fietkau wrote:
> The hw_key pointer is used (and obviously NULL) after skb->cb is
> memset to 0. This patch grabs the iv_len before the memset call.
>
> Signed-off-by: Felix Fietkau <nbd@xxxxxxxxxxx>
> Signed-off-by: Stephen Blackheath <tramp.enshrine.stephen@xxxxxxxxxxxxxxxxx>
Subject should be "rt2x00: " instead of "mac80211 ", but
Acked-by: Johannes Berg <johannes@xxxxxxxxxxxxxxxx>
>
> diff --git a/drivers/net/wireless/rt2x00/rt2x00queue.c b/drivers/net/wireless/rt2x00/rt2x00queue.c
> index 1676ac4..451d410 100644
> --- a/drivers/net/wireless/rt2x00/rt2x00queue.c
> +++ b/drivers/net/wireless/rt2x00/rt2x00queue.c
> @@ -374,7 +374,7 @@ int rt2x00queue_write_tx_frame(struct data_queue *queue, struct sk_buff *skb)
> struct queue_entry *entry = rt2x00queue_get_entry(queue, Q_INDEX);
> struct txentry_desc txdesc;
> struct skb_frame_desc *skbdesc;
> - unsigned int iv_len;
> + unsigned int iv_len = 0;
>
> if (unlikely(rt2x00queue_full(queue)))
> return -EINVAL;
> @@ -395,6 +395,9 @@ int rt2x00queue_write_tx_frame(struct data_queue *queue, struct sk_buff *skb)
> entry->skb = skb;
> rt2x00queue_create_tx_descriptor(entry, &txdesc);
>
> + if (IEEE80211_SKB_CB(skb)->control.hw_key != NULL)
> + iv_len = IEEE80211_SKB_CB(skb)->control.hw_key->iv_len;
> +
> /*
> * All information is retreived from the skb->cb array,
> * now we should claim ownership of the driver part of that
> @@ -410,9 +413,7 @@ int rt2x00queue_write_tx_frame(struct data_queue *queue, struct sk_buff *skb)
> * the frame so we can provide it to the driver seperately.
> */
> if (test_bit(ENTRY_TXD_ENCRYPT, &txdesc.flags) &&
> - !test_bit(ENTRY_TXD_ENCRYPT_IV, &txdesc.flags) &&
> - (IEEE80211_SKB_CB(skb)->control.hw_key != NULL)) {
> - iv_len = IEEE80211_SKB_CB(skb)->control.hw_key->iv_len;
> + !test_bit(ENTRY_TXD_ENCRYPT_IV, &txdesc.flags)) {
> rt2x00crypto_tx_remove_iv(skb, iv_len);
> }
>
>
Attachment:
signature.asc
Description: This is a digitally signed message part
