Commit 8713a7cc authored by Felix Fietkau's avatar Felix Fietkau Committed by John W. Linville

rt2x00: fix regression introduced by "mac80211: free up 2 bytes in skb->cb"

The hw_key pointer is used (and obviously NULL) after skb->cb is
memset to 0. This patch grabs the iv_len before the memset call.
Signed-off-by: default avatarFelix Fietkau <nbd@openwrt.org>
Signed-off-by: default avatarStephen Blackheath <tramp.enshrine.stephen@blacksapphire.com>
Acked-by: default avatarJohannes Berg <johannes@sipsolutions.net>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent eaca90da
...@@ -374,7 +374,7 @@ int rt2x00queue_write_tx_frame(struct data_queue *queue, struct sk_buff *skb) ...@@ -374,7 +374,7 @@ int rt2x00queue_write_tx_frame(struct data_queue *queue, struct sk_buff *skb)
struct queue_entry *entry = rt2x00queue_get_entry(queue, Q_INDEX); struct queue_entry *entry = rt2x00queue_get_entry(queue, Q_INDEX);
struct txentry_desc txdesc; struct txentry_desc txdesc;
struct skb_frame_desc *skbdesc; struct skb_frame_desc *skbdesc;
unsigned int iv_len; unsigned int iv_len = 0;
if (unlikely(rt2x00queue_full(queue))) if (unlikely(rt2x00queue_full(queue)))
return -EINVAL; return -EINVAL;
...@@ -395,6 +395,9 @@ int rt2x00queue_write_tx_frame(struct data_queue *queue, struct sk_buff *skb) ...@@ -395,6 +395,9 @@ int rt2x00queue_write_tx_frame(struct data_queue *queue, struct sk_buff *skb)
entry->skb = skb; entry->skb = skb;
rt2x00queue_create_tx_descriptor(entry, &txdesc); rt2x00queue_create_tx_descriptor(entry, &txdesc);
if (IEEE80211_SKB_CB(skb)->control.hw_key != NULL)
iv_len = IEEE80211_SKB_CB(skb)->control.hw_key->iv_len;
/* /*
* All information is retreived from the skb->cb array, * All information is retreived from the skb->cb array,
* now we should claim ownership of the driver part of that * now we should claim ownership of the driver part of that
...@@ -410,9 +413,7 @@ int rt2x00queue_write_tx_frame(struct data_queue *queue, struct sk_buff *skb) ...@@ -410,9 +413,7 @@ int rt2x00queue_write_tx_frame(struct data_queue *queue, struct sk_buff *skb)
* the frame so we can provide it to the driver seperately. * the frame so we can provide it to the driver seperately.
*/ */
if (test_bit(ENTRY_TXD_ENCRYPT, &txdesc.flags) && if (test_bit(ENTRY_TXD_ENCRYPT, &txdesc.flags) &&
!test_bit(ENTRY_TXD_ENCRYPT_IV, &txdesc.flags) && !test_bit(ENTRY_TXD_ENCRYPT_IV, &txdesc.flags)) {
(IEEE80211_SKB_CB(skb)->control.hw_key != NULL)) {
iv_len = IEEE80211_SKB_CB(skb)->control.hw_key->iv_len;
rt2x00crypto_tx_remove_iv(skb, iv_len); rt2x00crypto_tx_remove_iv(skb, iv_len);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment