add extra sanity checks in madwifi

SVN-Revision: 10266

diff --git a/package/madwifi/patches/316-skb_checks.patch b/package/madwifi/patches/316-skb_checks.patch
new file mode 100644 (file)
index 0000000..de6d551
--- /dev/null
+++ b/package/madwifi/patches/316-skb_checks.patch
@@ -0,0 +1,61 @@
+Index: madwifi-dfs-r3252/net80211/ieee80211_input.c
+===================================================================
+--- madwifi-dfs-r3252.orig/net80211/ieee80211_input.c  2008-01-26 05:14:46.815962139 +0100
++++ madwifi-dfs-r3252/net80211/ieee80211_input.c       2008-01-26 05:18:37.005079863 +0100
+@@ -740,8 +740,10 @@
+ 
+                       skb1 = skb_copy(skb, GFP_ATOMIC);
+                       /* Increment reference count after copy */
+-                      if (skb1 != NULL)
+-                              ieee80211_skb_copy_noderef(skb, skb1);
++                      if (skb1 == NULL)
++                              goto err;
++
++                      ieee80211_skb_copy_noderef(skb, skb1);
+ 
+                       /* we now have 802.3 MAC hdr followed by 802.2 LLC/SNAP; convert to EthernetII.
+                        * Note that the frame is at least IEEE80211_MIN_LEN, due to the driver code. */
+@@ -1055,9 +1057,11 @@
+                                * assemble fragments
+                                */
+                               ni->ni_rxfrag = skb_copy(skb, GFP_ATOMIC);
+-                              /* We duplicate the reference after skb_copy */
+-                              ieee80211_skb_copy_noderef(skb, ni->ni_rxfrag);
+-                              ieee80211_dev_kfree_skb(&skb);
++                              if (ni->ni_rxfrag) {
++                                      /* We duplicate the reference after skb_copy */
++                                      ieee80211_skb_copy_noderef(skb, ni->ni_rxfrag);
++                                      ieee80211_dev_kfree_skb(&skb);
++                              }
+                       }
+                       /*
+                        * Check that we have enough space to hold
+@@ -1071,7 +1075,7 @@
+                                       (skb_end_pointer(skb) - skb->head),
+                                       GFP_ATOMIC);
+                               /* We duplicate the reference after skb_copy */
+-                              if (skb != ni->ni_rxfrag)
++                              if ((skb != ni->ni_rxfrag) && ni->ni_rxfrag)
+                                       ieee80211_skb_copy_noderef(skb, ni->ni_rxfrag);
+                               ieee80211_dev_kfree_skb(&skb);
+                       }
+@@ -1134,7 +1138,8 @@
+               if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
+                       skb1 = skb_copy(skb, GFP_ATOMIC);
+                       /* Use the BSS node for retransmitting this multicast frame */
+-                      SKB_CB(skb1)->ni = ieee80211_ref_node(vap->iv_bss);
++                      if (skb1)
++                              SKB_CB(skb1)->ni = ieee80211_ref_node(vap->iv_bss);
+               }
+               else {
+                       /*
+@@ -1277,6 +1282,9 @@
+ 
+               /* XXX: does this always work? */
+               tskb = skb_copy(skb, GFP_ATOMIC);
++              if (!tskb)
++                      return skb;
++
+               /* We duplicate the reference after skb_copy */
+               ieee80211_skb_copy_noderef(skb, tskb);
+               ieee80211_dev_kfree_skb(&skb);