summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJavier Lopez <jlopex@cozybit.com>2013-12-16 19:01:07 +0100
committerJohannes Berg <johannes.berg@intel.com>2013-12-16 21:17:07 +0100
commitc0e30763f7ef9c7b7ff663204c9439bdbcac72ca (patch)
tree2ced3780e0ad6715e60a3b08c9194b84fa91df7b
parentradiotap: fix bitmap-end-finding buffer overrun (diff)
downloadlinux-c0e30763f7ef9c7b7ff663204c9439bdbcac72ca.tar.xz
linux-c0e30763f7ef9c7b7ff663204c9439bdbcac72ca.zip
mac80211_hwsim: Fix NULL pointer dereference
mac80211_hwsim was crashing when receiving tx information from user space. Crash happens because txi->rate_driver_data[0] is pointing to a non valid memory address. This code path is only used by wmediumd and wmediumd doesn't provide multiple channel support, so we can pass the channel struct (data2->channel) directly to mac80211_hwsim_monitor_ack function. Signed-off-by: Javier Lopez <jlopex@cozybit.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-rw-r--r--drivers/net/wireless/mac80211_hwsim.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
index c72438bb2faf..a1b32ee9594a 100644
--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -2011,7 +2011,7 @@ static int hwsim_tx_info_frame_received_nl(struct sk_buff *skb_2,
(hwsim_flags & HWSIM_TX_STAT_ACK)) {
if (skb->len >= 16) {
hdr = (struct ieee80211_hdr *) skb->data;
- mac80211_hwsim_monitor_ack(txi->rate_driver_data[0],
+ mac80211_hwsim_monitor_ack(data2->channel,
hdr->addr2);
}
txi->flags |= IEEE80211_TX_STAT_ACK;