diff options
author | Javier Lopez <jlopex@cozybit.com> | 2013-12-16 19:01:07 +0100 |
---|---|---|
committer | Johannes Berg <johannes.berg@intel.com> | 2013-12-16 21:17:07 +0100 |
commit | c0e30763f7ef9c7b7ff663204c9439bdbcac72ca (patch) | |
tree | 2ced3780e0ad6715e60a3b08c9194b84fa91df7b | |
parent | radiotap: fix bitmap-end-finding buffer overrun (diff) | |
download | linux-c0e30763f7ef9c7b7ff663204c9439bdbcac72ca.tar.xz linux-c0e30763f7ef9c7b7ff663204c9439bdbcac72ca.zip |
mac80211_hwsim: Fix NULL pointer dereference
mac80211_hwsim was crashing when receiving tx information from user
space. Crash happens because txi->rate_driver_data[0] is pointing to a
non valid memory address.
This code path is only used by wmediumd and wmediumd doesn't provide
multiple channel support, so we can pass the channel struct
(data2->channel) directly to mac80211_hwsim_monitor_ack function.
Signed-off-by: Javier Lopez <jlopex@cozybit.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-rw-r--r-- | drivers/net/wireless/mac80211_hwsim.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c index c72438bb2faf..a1b32ee9594a 100644 --- a/drivers/net/wireless/mac80211_hwsim.c +++ b/drivers/net/wireless/mac80211_hwsim.c @@ -2011,7 +2011,7 @@ static int hwsim_tx_info_frame_received_nl(struct sk_buff *skb_2, (hwsim_flags & HWSIM_TX_STAT_ACK)) { if (skb->len >= 16) { hdr = (struct ieee80211_hdr *) skb->data; - mac80211_hwsim_monitor_ack(txi->rate_driver_data[0], + mac80211_hwsim_monitor_ack(data2->channel, hdr->addr2); } txi->flags |= IEEE80211_TX_STAT_ACK; |