summaryrefslogtreecommitdiffstats
path: root/drivers/net/wireless/ath5k
diff options
context:
space:
mode:
authorHarvey Harrison <harvey.harrison@gmail.com>2008-07-16 03:44:02 +0200
committerJohn W. Linville <linville@tuxdriver.com>2008-08-22 22:29:53 +0200
commit798ee9850e9bf94b4436f9c7238823322e326885 (patch)
treed4af4eb4ec0c75d21b8b353ba04029c2285a4fd6 /drivers/net/wireless/ath5k
parentiwlwifi: use le16 frame control directly, use QOS symbolic constant mask (diff)
downloadlinux-798ee9850e9bf94b4436f9c7238823322e326885.tar.xz
linux-798ee9850e9bf94b4436f9c7238823322e326885.zip
ath5k: explicitly check skb->len
ieee80211_get_hdrlen_from_skb internally checks that the skb is long enough to hold the full header, or it returns 0 if not. The check in ath5k does not check this case and assumes it always got the actual header length which it then checks against the skb->len plus some headroom. Change to ieee80211_hdrlen which always returns the hdrlen and keep the existing headroom check. Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers/net/wireless/ath5k')
-rw-r--r--drivers/net/wireless/ath5k/base.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/net/wireless/ath5k/base.c b/drivers/net/wireless/ath5k/base.c
index 114520258b78..c1de1ef09e59 100644
--- a/drivers/net/wireless/ath5k/base.c
+++ b/drivers/net/wireless/ath5k/base.c
@@ -1540,7 +1540,7 @@ ath5k_rx_decrypted(struct ath5k_softc *sc, struct ath5k_desc *ds,
struct sk_buff *skb, struct ath5k_rx_status *rs)
{
struct ieee80211_hdr *hdr = (void *)skb->data;
- unsigned int keyix, hlen = ieee80211_get_hdrlen_from_skb(skb);
+ unsigned int keyix, hlen;
if (!(rs->rs_status & AR5K_RXERR_DECRYPT) &&
rs->rs_keyix != AR5K_RXKEYIX_INVALID)
@@ -1549,6 +1549,7 @@ ath5k_rx_decrypted(struct ath5k_softc *sc, struct ath5k_desc *ds,
/* Apparently when a default key is used to decrypt the packet
the hw does not set the index used to decrypt. In such cases
get the index from the packet. */
+ hlen = ieee80211_hdrlen(hdr->frame_control);
if (ieee80211_has_protected(hdr->frame_control) &&
!(rs->rs_status & AR5K_RXERR_DECRYPT) &&
skb->len >= hlen + 4) {