Signed-off-by: Denis Kirjanov <[email protected]>
---
net/mac80211/rx.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 1101563..4d3ec94 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -685,7 +685,8 @@ static int iwl80211_get_cs_keyid(const struct ieee80211_cipher_scheme *cs,
if (skb->len < hdrlen + cs->hdr_len)
return -EINVAL;
- skb_copy_bits(skb, hdrlen + cs->key_idx_off, &keyid, 1);
+ if (skb_copy_bits(skb, hdrlen + cs->key_idx_off, &keyid, 1))
+ return -EFAULT;
keyid &= cs->key_idx_mask;
keyid >>= cs->key_idx_shift;
@@ -1128,7 +1129,8 @@ ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
if (rx->skb->len < hdrlen + 8)
return RX_DROP_MONITOR;
- skb_copy_bits(rx->skb, hdrlen + 6, ðertype, 2);
+ if (skb_copy_bits(rx->skb, hdrlen + 6, ðertype, 2))
+ return RX_DROP_MONITOR;
if (ethertype == rx->sdata->control_port_protocol)
return RX_CONTINUE;
}
@@ -1614,7 +1616,8 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
* no need to call ieee80211_wep_get_keyidx,
* it verifies a bunch of things we've done already
*/
- skb_copy_bits(rx->skb, hdrlen + 3, &keyid, 1);
+ if (skb_copy_bits(rx->skb, hdrlen + 3, &keyid, 1))
+ return RX_DROP_MONITOR;
keyidx = keyid >> 6;
}
--
2.1.3
You fail to provide a useful commit log explaining why this change
should be done? Given that all the code already has the necessary
checks, these calls can never return non-zero, so this seems pointless?
johannes