[PATCH] ieee80211: Fix kernel panic when QoS is enabled The 802.11 header length is affected by the wireless mode (WDS or not) and type (QoS or not). We should use the variable hdr_len instead of the hard coded IEEE80211_3ADDR_LEN, otherwise we may touch invalid memory. Signed-off-by: Zhu Yi <yi.zhu@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>

commit: efa53ebe0d2f50bf342eb1976824f59bba9941eb [log] [tgz]
author: Zhu Yi <yi.zhu@intel.com> Mon Nov 13 11:32:50 2006 +0800
committer: John W. Linville <linville@tuxdriver.com> Tue Nov 14 19:31:48 2006 -0500
tree: 41b68cfbf14a5540948df806c2a60999627a669c
parent: 0579e303553655245e8a6616bd8b4428b07d63a2 [diff]
diff --git a/net/ieee80211/ieee80211_tx.c b/net/ieee80211/ieee80211_tx.c
index ae25449..854fc13 100644
--- a/net/ieee80211/ieee80211_tx.c
+++ b/net/ieee80211/ieee80211_tx.c

@@ -390,7 +390,7 @@
 		 * this stack is providing the full 802.11 header, one will
 		 * eventually be affixed to this fragment -- so we must account
 		 * for it when determining the amount of payload space. */
-		bytes_per_frag = frag_size - IEEE80211_3ADDR_LEN;
+		bytes_per_frag = frag_size - hdr_len;
 		if (ieee->config &
 		    (CFG_IEEE80211_COMPUTE_FCS | CFG_IEEE80211_RESERVE_FCS))
 			bytes_per_frag -= IEEE80211_FCS_LEN;
@@ -412,7 +412,7 @@
 	} else {
 		nr_frags = 1;
 		bytes_per_frag = bytes_last_frag = bytes;
-		frag_size = bytes + IEEE80211_3ADDR_LEN;
+		frag_size = bytes + hdr_len;
 	}
 
 	rts_required = (frag_size > ieee->rts
commit	efa53ebe0d2f50bf342eb1976824f59bba9941eb	[log] [tgz]
author	Zhu Yi <yi.zhu@intel.com>	Mon Nov 13 11:32:50 2006 +0800
committer	John W. Linville <linville@tuxdriver.com>	Tue Nov 14 19:31:48 2006 -0500
tree	41b68cfbf14a5540948df806c2a60999627a669c
parent	0579e303553655245e8a6616bd8b4428b07d63a2 [diff]