[ath9k-devel] [PATCH 3/7] ath10k: add safety check after popping a frame in frag rx

Michal Kazior Fri, 26 Apr 2013 01:38:39 -0700

If HTT RX went haywire we dereferenced buggy
pointers that led to system crash.


Signed-off-by: Michal Kazior <michal.kaz...@tieto.com>
---
 drivers/net/wireless/ath/ath10k/htt_rx.c |    5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c 
b/drivers/net/wireless/ath/ath10k/htt_rx.c
index 6d619e1..fe2d27b 100644
--- a/drivers/net/wireless/ath/ath10k/htt_rx.c
+++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
@@ -895,6 +895,11 @@ static void ath10k_htt_rx_frag_handler(struct ath10k_htt 
*htt,
 
        ath10k_dbg(ATH10K_DBG_HTT_DUMP, "htt rx frag ahead\n");
 
+       if (!msdu_head) {
+               ath10k_warn("htt rx frag no data\n");
+               return;
+       }
+
        if (msdu_chaining || msdu_head != msdu_tail) {
                ath10k_warn("aggregation with fragmentation?!\n");
                ath10k_htt_rx_free_msdu_chain(msdu_head);
-- 
1.7.9.5

_______________________________________________
ath9k-devel mailing list
ath9k-devel@lists.ath9k.org
https://lists.ath9k.org/mailman/listinfo/ath9k-devel

[ath9k-devel] [PATCH 3/7] ath10k: add safety check after popping a frame in frag rx

Reply via email to