[PATCH] ieee80211: Fix kernel panic when QoS is enabled

The 802.11 header length is affected by the wireless mode (WDS or not) and
type (QoS or not). We should use the variable hdr_len instead of the
hard coded IEEE80211_3ADDR_LEN, otherwise we may touch invalid memory.

Signed-off-by: Zhu Yi <yi.zhu@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

diff --git a/net/ieee80211/ieee80211_tx.c b/net/ieee80211/ieee80211_tx.c
index ae254497ba3d8dac57a3521fab214936f6847e2a..854fc13cd78d0b057dbf40812293f86b1a0716cb 100644 (file)
--- a/net/ieee80211/ieee80211_tx.c
+++ b/net/ieee80211/ieee80211_tx.c
@@ -390,7 +390,7 @@ int ieee80211_xmit(struct sk_buff *skb, struct net_device *dev)
                 * this stack is providing the full 802.11 header, one will
                 * eventually be affixed to this fragment -- so we must account
                 * for it when determining the amount of payload space. */
-               bytes_per_frag = frag_size - IEEE80211_3ADDR_LEN;
+               bytes_per_frag = frag_size - hdr_len;
                if (ieee->config &
                    (CFG_IEEE80211_COMPUTE_FCS | CFG_IEEE80211_RESERVE_FCS))
                        bytes_per_frag -= IEEE80211_FCS_LEN;
@@ -412,7 +412,7 @@ int ieee80211_xmit(struct sk_buff *skb, struct net_device *dev)
        } else {
                nr_frags = 1;
                bytes_per_frag = bytes_last_frag = bytes;
-               frag_size = bytes + IEEE80211_3ADDR_LEN;
+               frag_size = bytes + hdr_len;
        }
 
        rts_required = (frag_size > ieee->rts