RX handlers are allowed to change rx.skb pointer in the same way as
TX handlers. In other words, ieee80211_rx() must use the new pointer
after the RX handler loop has been completed to avoid freeing incorrect
skb if the frame ends up being dropped after the skb pointer has been
changed.
Signed-off-by: Jouni Malinen <[EMAIL PROTECTED]>
Index: wireless-2.6/net/d80211/ieee80211.c
===================================================================
--- wireless-2.6.orig/net/d80211/ieee80211.c
+++ wireless-2.6/net/d80211/ieee80211.c
@@ -3325,6 +3325,7 @@ void __ieee80211_rx(struct net_device *d
break;
}
}
+ skb = rx.skb; /* handlers are allowed to change skb */
if (res == TXRX_DROP || *handler == NULL)
dev_kfree_skb(skb);
--
--
Jouni Malinen PGP id EFC895FA
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
