| Message ID | 1404914132-13614-1-git-send-email-emmanuel.grumbach@intel.com (mailing list archive) |
|---|---|
| State | Not Applicable, archived |
| Headers | show |
On Wed, 2014-07-09 at 16:55 +0300, Emmanuel Grumbach wrote: > From: Max Stepanov <Max.Stepanov@intel.com> > > The NULL pointer access could happen when ieee80211_crypto_hw_decrypt > is called from ieee80211_rx_h_decrypt with the following condition: > 1. rx->key->conf.cipher is not WEP, CCMP, TKIP or AES_CMAC > 2. rx->sta is NULL > > When ieee80211_crypto_hw_decrypt is called, it verifies > rx->sta->cipher_scheme and it will cause Oops if rx->sta is NULL. > > This path adds an addirional rx->sta == NULL verification in > ieee80211_crypto_hw_decrypt for this case. Applied. johannes -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c index 9b3dcc2..f7d4ca4 100644 --- a/net/mac80211/wpa.c +++ b/net/mac80211/wpa.c @@ -811,7 +811,7 @@ ieee80211_crypto_hw_encrypt(struct ieee80211_tx_data *tx) ieee80211_rx_result ieee80211_crypto_hw_decrypt(struct ieee80211_rx_data *rx) { - if (rx->sta->cipher_scheme) + if (rx->sta && rx->sta->cipher_scheme) return ieee80211_crypto_cs_decrypt(rx); return RX_DROP_UNUSABLE;