package/madwifi/patches/316-skb_checks.patch

   1 Index: madwifi-trunk-r3280/net80211/ieee80211_input.c
   2 ===================================================================
   3 --- madwifi-trunk-r3280.orig/net80211/ieee80211_input.c 2008-01-28 17:36:55.186089457 +0100
   4 +++ madwifi-trunk-r3280/net80211/ieee80211_input.c      2008-01-28 17:38:42.816222949 +0100
   5 @@ -740,8 +740,10 @@
   6
   7                         skb1 = skb_copy(skb, GFP_ATOMIC);
   8                         /* Increment reference count after copy */
   9 -                       if (skb1 != NULL)
  10 -                               ieee80211_skb_copy_noderef(skb, skb1);
  11 +                       if (skb1 == NULL)
  12 +                               goto err;
  13 +
  14 +                       ieee80211_skb_copy_noderef(skb, skb1);
  15
  16                         /* we now have 802.3 MAC hdr followed by 802.2 LLC/SNAP; convert to EthernetII.
  17                          * Note that the frame is at least IEEE80211_MIN_LEN, due to the driver code. */
  18 @@ -1056,9 +1058,11 @@
  19                                  * assemble fragments
  20                                  */
  21                                 ni->ni_rxfrag = skb_copy(skb, GFP_ATOMIC);
  22 -                               /* We duplicate the reference after skb_copy */
  23 -                               ieee80211_skb_copy_noderef(skb, ni->ni_rxfrag);
  24 -                               ieee80211_dev_kfree_skb(&skb);
  25 +                               if (ni->ni_rxfrag) {
  26 +                                       /* We duplicate the reference after skb_copy */
  27 +                                       ieee80211_skb_copy_noderef(skb, ni->ni_rxfrag);
  28 +                                       ieee80211_dev_kfree_skb(&skb);
  29 +                               }
  30                         }
  31                         /*
  32                          * Check that we have enough space to hold
  33 @@ -1072,7 +1076,7 @@
  34                                         (skb_end_pointer(skb) - skb->head),
  35                                         GFP_ATOMIC);
  36                                 /* We duplicate the reference after skb_copy */
  37 -                               if (skb != ni->ni_rxfrag)
  38 +                               if ((skb != ni->ni_rxfrag) && ni->ni_rxfrag)
  39                                         ieee80211_skb_copy_noderef(skb, ni->ni_rxfrag);
  40                                 ieee80211_dev_kfree_skb(&skb);
  41                         }
  42 @@ -1135,7 +1139,8 @@
  43                 if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
  44                         /* Create a SKB for the BSS to send out. */
  45                         skb1 = skb_copy(skb, GFP_ATOMIC);
  46 -                       SKB_CB(skb1)->ni = ieee80211_ref_node(vap->iv_bss);
  47 +                       if (skb1)
  48 +                               SKB_CB(skb1)->ni = ieee80211_ref_node(vap->iv_bss);
  49                 }
  50                 else {
  51                         /*
  52 @@ -1278,6 +1283,9 @@
  53
  54                 /* XXX: does this always work? */
  55                 tskb = skb_copy(skb, GFP_ATOMIC);
  56 +               if (!tskb)
  57 +                       return skb;
  58 +
  59                 /* We duplicate the reference after skb_copy */
  60                 ieee80211_skb_copy_noderef(skb, tskb);
  61                 ieee80211_dev_kfree_skb(&skb);