From: Harvey Harrison Date: Wed, 16 Jul 2008 01:44:02 +0000 (-0700) Subject: ath5k: explicitly check skb->len X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=798ee9850e9bf94b4436f9c7238823322e326885;p=GitHub%2Fmt8127%2Fandroid_kernel_alcatel_ttab.git ath5k: explicitly check skb->len ieee80211_get_hdrlen_from_skb internally checks that the skb is long enough to hold the full header, or it returns 0 if not. The check in ath5k does not check this case and assumes it always got the actual header length which it then checks against the skb->len plus some headroom. Change to ieee80211_hdrlen which always returns the hdrlen and keep the existing headroom check. Signed-off-by: Harvey Harrison Signed-off-by: John W. Linville --- diff --git a/drivers/net/wireless/ath5k/base.c b/drivers/net/wireless/ath5k/base.c index 114520258b78..c1de1ef09e59 100644 --- a/drivers/net/wireless/ath5k/base.c +++ b/drivers/net/wireless/ath5k/base.c @@ -1540,7 +1540,7 @@ ath5k_rx_decrypted(struct ath5k_softc *sc, struct ath5k_desc *ds, struct sk_buff *skb, struct ath5k_rx_status *rs) { struct ieee80211_hdr *hdr = (void *)skb->data; - unsigned int keyix, hlen = ieee80211_get_hdrlen_from_skb(skb); + unsigned int keyix, hlen; if (!(rs->rs_status & AR5K_RXERR_DECRYPT) && rs->rs_keyix != AR5K_RXKEYIX_INVALID) @@ -1549,6 +1549,7 @@ ath5k_rx_decrypted(struct ath5k_softc *sc, struct ath5k_desc *ds, /* Apparently when a default key is used to decrypt the packet the hw does not set the index used to decrypt. In such cases get the index from the packet. */ + hlen = ieee80211_hdrlen(hdr->frame_control); if (ieee80211_has_protected(hdr->frame_control) && !(rs->rs_status & AR5K_RXERR_DECRYPT) && skb->len >= hlen + 4) {