From bf9d5d28aabc6e420a0b6fb3a24b93046878e864 Mon Sep 17 00:00:00 2001 From: Victor Goldenshtein Date: Tue, 17 Sep 2013 18:41:25 +0300 Subject: [PATCH] wlcore: fix unsafe dereference of the wlvif wlvif could be passed as NULL from the wlcore_tx_work_locked() to the wl1271_prepare_tx_frame() and to wl1271_skb_queue_head() functions. This may lead to a Kernel panic, fix this by validating that wlvif != NULL. Signed-off-by: Victor Goldenshtein Signed-off-by: Eliad Peller Signed-off-by: Luciano Coelho --- drivers/net/wireless/ti/wlcore/tx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/ti/wlcore/tx.c b/drivers/net/wireless/ti/wlcore/tx.c index 03249da9703a..87cd707affa2 100644 --- a/drivers/net/wireless/ti/wlcore/tx.c +++ b/drivers/net/wireless/ti/wlcore/tx.c @@ -401,7 +401,7 @@ static int wl1271_prepare_tx_frame(struct wl1271 *wl, struct wl12xx_vif *wlvif, is_wep = (cipher == WLAN_CIPHER_SUITE_WEP40) || (cipher == WLAN_CIPHER_SUITE_WEP104); - if (WARN_ON(is_wep && wlvif->default_key != idx)) { + if (WARN_ON(is_wep && wlvif && wlvif->default_key != idx)) { ret = wl1271_set_default_wep_key(wl, wlvif, idx); if (ret < 0) return ret; -- 2.39.5