Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 798ee985 authored by Harvey Harrison's avatar Harvey Harrison Committed by John W. Linville
Browse files

ath5k: explicitly check skb->len 



ieee80211_get_hdrlen_from_skb internally checks that the skb is long
enough to hold the full header, or it returns 0 if not.  The check in
ath5k does not check this case and assumes it always got the actual
header length which it then checks against the skb->len plus some headroom.

Change to ieee80211_hdrlen which always returns the hdrlen and keep the
existing headroom check.

Signed-off-by: default avatarHarvey Harrison <harvey.harrison@gmail.com>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent 7294ec95

drivers/net/wireless/ath5k/base.c

+2 −1
Original line number Diff line number Diff line
@@ -1540,7 +1540,7 @@ ath5k_rx_decrypted(struct ath5k_softc *sc, struct ath5k_desc *ds, 
		struct sk_buff *skb, struct ath5k_rx_status *rs)

{

	struct ieee80211_hdr *hdr = (void *)skb->data;

	unsigned int keyix, hlen = ieee80211_get_hdrlen_from_skb(skb);

	unsigned int keyix, hlen;



	if (!(rs->rs_status & AR5K_RXERR_DECRYPT) &&

			rs->rs_keyix != AR5K_RXKEYIX_INVALID)
@@ -1549,6 +1549,7 @@ ath5k_rx_decrypted(struct ath5k_softc *sc, struct ath5k_desc *ds, 
	/* Apparently when a default key is used to decrypt the packet

	   the hw does not set the index used to decrypt.  In such cases

	   get the index from the packet. */

	hlen = ieee80211_hdrlen(hdr->frame_control);

	if (ieee80211_has_protected(hdr->frame_control) &&

	    !(rs->rs_status & AR5K_RXERR_DECRYPT) &&

	    skb->len >= hlen + 4) {