From: Jason Conti <jason.conti@xxxxxxxxx> This patch fixes a very serious off-by-one bug in the driver, which could leave the device in an unresponsive state. The problem was that the extra_len variable [used to reserve extra scratch buffer space for the firmware] was left uninitialized. Because p54_assign_address later needs the value to reserve additional space, the resulting frame could be to big for the small device's memory window and everything would immediately come to a grinding halt. Reference: https://bugs.launchpad.net/bugs/722185 Cc: <stable@xxxxxxxxxx> Acked-by: Christian Lamparter <chunkeey@xxxxxxxxxxxxxx> Signed-off-by: Jason Conti <jason.conti@xxxxxxxxx> --- Janson Conti, I hope you don't mind the "pretty-printing", right? But, this is not a problem of gcc or debug options and therefore I had to rewrite a few parts to make it clear why this is a "-stable" patch. Thanks for the patch, your work is highly appreciated! Best Regards, Christian --- diff --git a/drivers/net/wireless/p54/txrx.c b/drivers/net/wireless/p54/txrx.c index 3a93162..4d28b52 100644 --- a/drivers/net/wireless/p54/txrx.c +++ b/drivers/net/wireless/p54/txrx.c @@ -703,7 +703,7 @@ void p54_tx_80211(struct ieee80211_hw *dev, struct sk_buff *skb) struct p54_tx_info *p54info; struct p54_hdr *hdr; struct p54_tx_data *txhdr; - unsigned int padding, len, extra_len; + unsigned int padding, len, extra_len = 0; int i, j, ridx; u16 hdr_flags = 0, aid = 0; u8 rate, queue = 0, crypt_offset = 0; -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
