summaryrefslogtreecommitdiff
path: root/package/madwifi/patches/316-skb_checks.patch
blob: de6d551e51b4fb7d9444db4402af0f449329a800 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
Index: madwifi-dfs-r3252/net80211/ieee80211_input.c
===================================================================
--- madwifi-dfs-r3252.orig/net80211/ieee80211_input.c	2008-01-26 05:14:46.815962139 +0100
+++ madwifi-dfs-r3252/net80211/ieee80211_input.c	2008-01-26 05:18:37.005079863 +0100
@@ -740,8 +740,10 @@
 
 			skb1 = skb_copy(skb, GFP_ATOMIC);
 			/* Increment reference count after copy */
-			if (skb1 != NULL)
-				ieee80211_skb_copy_noderef(skb, skb1);
+			if (skb1 == NULL)
+				goto err;
+
+			ieee80211_skb_copy_noderef(skb, skb1);
 
 			/* we now have 802.3 MAC hdr followed by 802.2 LLC/SNAP; convert to EthernetII.
 			 * Note that the frame is at least IEEE80211_MIN_LEN, due to the driver code. */
@@ -1055,9 +1057,11 @@
 				 * assemble fragments
 				 */
 				ni->ni_rxfrag = skb_copy(skb, GFP_ATOMIC);
-				/* We duplicate the reference after skb_copy */
-				ieee80211_skb_copy_noderef(skb, ni->ni_rxfrag);
-				ieee80211_dev_kfree_skb(&skb);
+				if (ni->ni_rxfrag) {
+					/* We duplicate the reference after skb_copy */
+					ieee80211_skb_copy_noderef(skb, ni->ni_rxfrag);
+					ieee80211_dev_kfree_skb(&skb);
+				}
 			}
 			/*
 			 * Check that we have enough space to hold
@@ -1071,7 +1075,7 @@
 					(skb_end_pointer(skb) - skb->head),
 					GFP_ATOMIC);
 				/* We duplicate the reference after skb_copy */
-				if (skb != ni->ni_rxfrag)
+				if ((skb != ni->ni_rxfrag) && ni->ni_rxfrag)
 					ieee80211_skb_copy_noderef(skb, ni->ni_rxfrag);
 				ieee80211_dev_kfree_skb(&skb);
 			}
@@ -1134,7 +1138,8 @@
 		if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
 			skb1 = skb_copy(skb, GFP_ATOMIC);
 			/* Use the BSS node for retransmitting this multicast frame */
-			SKB_CB(skb1)->ni = ieee80211_ref_node(vap->iv_bss);
+			if (skb1)
+				SKB_CB(skb1)->ni = ieee80211_ref_node(vap->iv_bss);
 		}
 		else {
 			/*
@@ -1277,6 +1282,9 @@
 
 		/* XXX: does this always work? */
 		tskb = skb_copy(skb, GFP_ATOMIC);
+		if (!tskb)
+			return skb;
+
 		/* We duplicate the reference after skb_copy */
 		ieee80211_skb_copy_noderef(skb, tskb);
 		ieee80211_dev_kfree_skb(&skb);