diff options
author | Max Stepanov <Max.Stepanov@intel.com> | 2014-07-09 15:55:32 +0200 |
---|---|---|
committer | Johannes Berg <johannes.berg@intel.com> | 2014-07-21 12:34:08 +0200 |
commit | aeb136c5b433377324f030b1a50b96eb7a99193b (patch) | |
tree | cbebda7a6a91bf5e6edc4b48ad3cbe29977288e1 /net/mac80211/wpa.c | |
parent | wireless: fixup genregdb.awk for remove of antenna gain from wireless-regd (diff) | |
download | linux-aeb136c5b433377324f030b1a50b96eb7a99193b.tar.xz linux-aeb136c5b433377324f030b1a50b96eb7a99193b.zip |
mac80211: fix a potential NULL access in ieee80211_crypto_hw_decrypt
The NULL pointer access could happen when ieee80211_crypto_hw_decrypt
is called from ieee80211_rx_h_decrypt with the following condition:
1. rx->key->conf.cipher is not WEP, CCMP, TKIP or AES_CMAC
2. rx->sta is NULL
When ieee80211_crypto_hw_decrypt is called, it verifies
rx->sta->cipher_scheme and it will cause Oops if rx->sta is NULL.
This path adds an addirional rx->sta == NULL verification in
ieee80211_crypto_hw_decrypt for this case.
Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'net/mac80211/wpa.c')
-rw-r--r-- | net/mac80211/wpa.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c index 9b3dcc201145..f7d4ca4c46e0 100644 --- a/net/mac80211/wpa.c +++ b/net/mac80211/wpa.c @@ -811,7 +811,7 @@ ieee80211_crypto_hw_encrypt(struct ieee80211_tx_data *tx) ieee80211_rx_result ieee80211_crypto_hw_decrypt(struct ieee80211_rx_data *rx) { - if (rx->sta->cipher_scheme) + if (rx->sta && rx->sta->cipher_scheme) return ieee80211_crypto_cs_decrypt(rx); return RX_DROP_UNUSABLE; |