Commit 055249d2 authored Mar 13, 2009 by Jouni Malinen Committed by John W. Linville Mar 16, 2009

mac80211: Fix panic on fragmentation with power saving



It was possible to hit a kernel panic on NULL pointer dereference in
dev_queue_xmit() when sending power save buffered frames to a STA that
woke up from sleep. This happened when the buffered frame was requeued
for transmission in ap_sta_ps_end(). In order to avoid the panic, copy
the skb->dev and skb->iif values from the first fragment to all other
fragments.

Signed-off-by: Jouni Malinen <jouni.malinen@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

parent 5ec905a8

net/mac80211/tx.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -752,6 +752,8 @@ ieee80211_tx_h_fragment(struct ieee80211_tx_data *tx)
		skb_copy_queue_mapping(frag, first);

		frag->do_not_encrypt = first->do_not_encrypt;
		frag->dev = first->dev;
		frag->iif = first->iif;

		pos += copylen;
		left -= copylen;