Commit 798ee985 authored by Harvey Harrison's avatar Harvey Harrison Committed by John W. Linville

ath5k: explicitly check skb->len

ieee80211_get_hdrlen_from_skb internally checks that the skb is long
enough to hold the full header, or it returns 0 if not.  The check in
ath5k does not check this case and assumes it always got the actual
header length which it then checks against the skb->len plus some headroom.

Change to ieee80211_hdrlen which always returns the hdrlen and keep the
existing headroom check.
Signed-off-by: default avatarHarvey Harrison <harvey.harrison@gmail.com>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent 7294ec95
...@@ -1540,7 +1540,7 @@ ath5k_rx_decrypted(struct ath5k_softc *sc, struct ath5k_desc *ds, ...@@ -1540,7 +1540,7 @@ ath5k_rx_decrypted(struct ath5k_softc *sc, struct ath5k_desc *ds,
struct sk_buff *skb, struct ath5k_rx_status *rs) struct sk_buff *skb, struct ath5k_rx_status *rs)
{ {
struct ieee80211_hdr *hdr = (void *)skb->data; struct ieee80211_hdr *hdr = (void *)skb->data;
unsigned int keyix, hlen = ieee80211_get_hdrlen_from_skb(skb); unsigned int keyix, hlen;
if (!(rs->rs_status & AR5K_RXERR_DECRYPT) && if (!(rs->rs_status & AR5K_RXERR_DECRYPT) &&
rs->rs_keyix != AR5K_RXKEYIX_INVALID) rs->rs_keyix != AR5K_RXKEYIX_INVALID)
...@@ -1549,6 +1549,7 @@ ath5k_rx_decrypted(struct ath5k_softc *sc, struct ath5k_desc *ds, ...@@ -1549,6 +1549,7 @@ ath5k_rx_decrypted(struct ath5k_softc *sc, struct ath5k_desc *ds,
/* Apparently when a default key is used to decrypt the packet /* Apparently when a default key is used to decrypt the packet
the hw does not set the index used to decrypt. In such cases the hw does not set the index used to decrypt. In such cases
get the index from the packet. */ get the index from the packet. */
hlen = ieee80211_hdrlen(hdr->frame_control);
if (ieee80211_has_protected(hdr->frame_control) && if (ieee80211_has_protected(hdr->frame_control) &&
!(rs->rs_status & AR5K_RXERR_DECRYPT) && !(rs->rs_status & AR5K_RXERR_DECRYPT) &&
skb->len >= hlen + 4) { skb->len >= hlen + 4) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment