From d7b86662f7fccf36e3091cdd5f7116d0a0a28279 Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Sat, 26 Jan 2008 04:19:50 +0000 Subject: [PATCH] add extra sanity checks in madwifi SVN-Revision: 10266 --- package/madwifi/patches/316-skb_checks.patch | 61 ++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 package/madwifi/patches/316-skb_checks.patch diff --git a/package/madwifi/patches/316-skb_checks.patch b/package/madwifi/patches/316-skb_checks.patch new file mode 100644 index 0000000000..de6d551e51 --- /dev/null +++ b/package/madwifi/patches/316-skb_checks.patch @@ -0,0 +1,61 @@ +Index: madwifi-dfs-r3252/net80211/ieee80211_input.c +=================================================================== +--- madwifi-dfs-r3252.orig/net80211/ieee80211_input.c 2008-01-26 05:14:46.815962139 +0100 ++++ madwifi-dfs-r3252/net80211/ieee80211_input.c 2008-01-26 05:18:37.005079863 +0100 +@@ -740,8 +740,10 @@ + + skb1 = skb_copy(skb, GFP_ATOMIC); + /* Increment reference count after copy */ +- if (skb1 != NULL) +- ieee80211_skb_copy_noderef(skb, skb1); ++ if (skb1 == NULL) ++ goto err; ++ ++ ieee80211_skb_copy_noderef(skb, skb1); + + /* we now have 802.3 MAC hdr followed by 802.2 LLC/SNAP; convert to EthernetII. + * Note that the frame is at least IEEE80211_MIN_LEN, due to the driver code. */ +@@ -1055,9 +1057,11 @@ + * assemble fragments + */ + ni->ni_rxfrag = skb_copy(skb, GFP_ATOMIC); +- /* We duplicate the reference after skb_copy */ +- ieee80211_skb_copy_noderef(skb, ni->ni_rxfrag); +- ieee80211_dev_kfree_skb(&skb); ++ if (ni->ni_rxfrag) { ++ /* We duplicate the reference after skb_copy */ ++ ieee80211_skb_copy_noderef(skb, ni->ni_rxfrag); ++ ieee80211_dev_kfree_skb(&skb); ++ } + } + /* + * Check that we have enough space to hold +@@ -1071,7 +1075,7 @@ + (skb_end_pointer(skb) - skb->head), + GFP_ATOMIC); + /* We duplicate the reference after skb_copy */ +- if (skb != ni->ni_rxfrag) ++ if ((skb != ni->ni_rxfrag) && ni->ni_rxfrag) + ieee80211_skb_copy_noderef(skb, ni->ni_rxfrag); + ieee80211_dev_kfree_skb(&skb); + } +@@ -1134,7 +1138,8 @@ + if (ETHER_IS_MULTICAST(eh->ether_dhost)) { + skb1 = skb_copy(skb, GFP_ATOMIC); + /* Use the BSS node for retransmitting this multicast frame */ +- SKB_CB(skb1)->ni = ieee80211_ref_node(vap->iv_bss); ++ if (skb1) ++ SKB_CB(skb1)->ni = ieee80211_ref_node(vap->iv_bss); + } + else { + /* +@@ -1277,6 +1282,9 @@ + + /* XXX: does this always work? */ + tskb = skb_copy(skb, GFP_ATOMIC); ++ if (!tskb) ++ return skb; ++ + /* We duplicate the reference after skb_copy */ + ieee80211_skb_copy_noderef(skb, tskb); + ieee80211_dev_kfree_skb(&skb);