Commit 8d767dcb authored by Avinash Patil's avatar Avinash Patil Committed by John W. Linville

mwifiex: set valid tx_param during mwifiex_send_null_packet

While sending null packet from driver we are passing NULL
tx_param pointer to indicate there are no more packets in queue.
PCIe send routine assumes caller has done sanity check on
tx_param and may cause crash while dereferencing next_pkt_len
from tx_param.

Avoid this by passing tx_param structure with next_pkt_len as
zero instead of NULL pointer.
Signed-off-by: default avatarAvinash Patil <patila@marvell.com>
Signed-off-by: default avatarBing Zhao <bzhao@marvell.com>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent bb71d01a
...@@ -1071,6 +1071,7 @@ static int mwifiex_pcie_send_data_complete(struct mwifiex_adapter *adapter) ...@@ -1071,6 +1071,7 @@ static int mwifiex_pcie_send_data_complete(struct mwifiex_adapter *adapter)
* is mapped to PCI device memory. Tx ring pointers are advanced accordingly. * is mapped to PCI device memory. Tx ring pointers are advanced accordingly.
* Download ready interrupt to FW is deffered if Tx ring is not full and * Download ready interrupt to FW is deffered if Tx ring is not full and
* additional payload can be accomodated. * additional payload can be accomodated.
* Caller must ensure tx_param parameter to this function is not NULL.
*/ */
static int static int
mwifiex_pcie_send_data(struct mwifiex_adapter *adapter, struct sk_buff *skb, mwifiex_pcie_send_data(struct mwifiex_adapter *adapter, struct sk_buff *skb,
......
...@@ -128,6 +128,7 @@ int mwifiex_send_null_packet(struct mwifiex_private *priv, u8 flags) ...@@ -128,6 +128,7 @@ int mwifiex_send_null_packet(struct mwifiex_private *priv, u8 flags)
{ {
struct mwifiex_adapter *adapter = priv->adapter; struct mwifiex_adapter *adapter = priv->adapter;
struct txpd *local_tx_pd; struct txpd *local_tx_pd;
struct mwifiex_tx_param tx_param;
/* sizeof(struct txpd) + Interface specific header */ /* sizeof(struct txpd) + Interface specific header */
#define NULL_PACKET_HDR 64 #define NULL_PACKET_HDR 64
u32 data_len = NULL_PACKET_HDR; u32 data_len = NULL_PACKET_HDR;
...@@ -168,8 +169,9 @@ int mwifiex_send_null_packet(struct mwifiex_private *priv, u8 flags) ...@@ -168,8 +169,9 @@ int mwifiex_send_null_packet(struct mwifiex_private *priv, u8 flags)
skb, NULL); skb, NULL);
} else { } else {
skb_push(skb, INTF_HEADER_LEN); skb_push(skb, INTF_HEADER_LEN);
tx_param.next_pkt_len = 0;
ret = adapter->if_ops.host_to_card(adapter, MWIFIEX_TYPE_DATA, ret = adapter->if_ops.host_to_card(adapter, MWIFIEX_TYPE_DATA,
skb, NULL); skb, &tx_param);
} }
switch (ret) { switch (ret) {
case -EBUSY: case -EBUSY:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment