diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2010-06-05 07:32:21 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2010-06-05 07:32:21 -0700 |
| commit | ed7dc1dfbcef301407a1e3138a49dc94e5a19d0a (patch) | |
| tree | 2aef7400d404774f0f8a30b6eefb0690a09ec24c /net/mac80211/rx.c | |
| parent | 7926e0bfbbc5ff81ddad0fda831eef7060e40997 (diff) | |
| parent | ca7335948e294faf8adf65f2c95ca18ea78540db (diff) | |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (30 commits)
X25: remove duplicated #include
tcp: use correct net ns in cookie_v4_check()
rps: tcp: fix rps_sock_flow_table table updates
ppp_generic: fix multilink fragment sizes
syncookies: remove Kconfig text line about disabled-by-default
ixgbe: only check pfc bits in hang logic if pfc is enabled
net: check for refcount if pop a stacked dst_entry
ixgbe: return IXGBE_ERR_RAR_INDEX when out of range
act_pedit: access skb->data safely
sfc: Store port number in net_device::dev_id
epic100: Test __BIG_ENDIAN instead of (non-existent) CONFIG_BIG_ENDIAN
tehuti: return -EFAULT on copy_to_user errors
isdn/kcapi: return -EFAULT on copy_from_user errors
e1000e: change logical negate to bitwise
sfc: Get port number from CS_PORT_NUM, not PCI function number
cls_u32: use skb_header_pointer() to dereference data safely
TCP: tcp_hybla: Fix integer overflow in slow start increment
act_nat: fix the wrong checksum when addr isn't in old_addr/mask
net/fec: fix pm to survive to suspend/resume
korina: count RX DMA OVR as rx_fifo_error
...
Diffstat (limited to 'net/mac80211/rx.c')
| -rw-r--r-- | net/mac80211/rx.c | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c index 6e2a7bcd8cb8..5e0b65406c44 100644 --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -1818,17 +1818,26 @@ ieee80211_rx_h_ctrl(struct ieee80211_rx_data *rx, struct sk_buff_head *frames) return RX_CONTINUE; if (ieee80211_is_back_req(bar->frame_control)) { + struct { + __le16 control, start_seq_num; + } __packed bar_data; + if (!rx->sta) return RX_DROP_MONITOR; + + if (skb_copy_bits(skb, offsetof(struct ieee80211_bar, control), + &bar_data, sizeof(bar_data))) + return RX_DROP_MONITOR; + spin_lock(&rx->sta->lock); - tid = le16_to_cpu(bar->control) >> 12; + tid = le16_to_cpu(bar_data.control) >> 12; if (!rx->sta->ampdu_mlme.tid_active_rx[tid]) { spin_unlock(&rx->sta->lock); return RX_DROP_MONITOR; } tid_agg_rx = rx->sta->ampdu_mlme.tid_rx[tid]; - start_seq_num = le16_to_cpu(bar->start_seq_num) >> 4; + start_seq_num = le16_to_cpu(bar_data.start_seq_num) >> 4; /* reset session timer */ if (tid_agg_rx->timeout) |