blob: ec147a193c7286e97765e9d39e25041ee46da712 [file] [log] [blame]
From a6756da9eace8b4af73e9dea43f1fc2889224c94 Mon Sep 17 00:00:00 2001
From: Jason Conti <>
Date: Thu, 7 Apr 2011 21:09:57 +0200
Subject: p54: Initialize extra_len in p54_tx_80211
From: Jason Conti <>
commit a6756da9eace8b4af73e9dea43f1fc2889224c94 upstream.
This patch fixes a very serious off-by-one bug in
the driver, which could leave the device in an
unresponsive state.
The problem was that the extra_len variable [used to
reserve extra scratch buffer space for the firmware]
was left uninitialized. Because p54_assign_address
later needs the value to reserve additional space,
the resulting frame could be to big for the small
device's memory window and everything would
immediately come to a grinding halt.
Acked-by: Christian Lamparter <>
Signed-off-by: Jason Conti <>
Signed-off-by: John W. Linville <>
Signed-off-by: Greg Kroah-Hartman <>
drivers/net/wireless/p54/txrx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/wireless/p54/txrx.c
+++ b/drivers/net/wireless/p54/txrx.c
@@ -703,7 +703,7 @@ int p54_tx_80211(struct ieee80211_hw *de
struct p54_tx_info *p54info;
struct p54_hdr *hdr;
struct p54_tx_data *txhdr;
- unsigned int padding, len, extra_len;
+ unsigned int padding, len, extra_len = 0;
int i, j, ridx;
u16 hdr_flags = 0, aid = 0;
u8 rate, queue = 0, crypt_offset = 0;