From d7b86662f7fccf36e3091cdd5f7116d0a0a28279 Mon Sep 17 00:00:00 2001
From: Felix Fietkau <nbd@openwrt.org>
Date: Sat, 26 Jan 2008 04:19:50 +0000
Subject: [PATCH] add extra sanity checks in madwifi

SVN-Revision: 10266
---
 package/madwifi/patches/316-skb_checks.patch | 61 ++++++++++++++++++++
 1 file changed, 61 insertions(+)
 create mode 100644 package/madwifi/patches/316-skb_checks.patch

diff --git a/package/madwifi/patches/316-skb_checks.patch b/package/madwifi/patches/316-skb_checks.patch
new file mode 100644
index 0000000000..de6d551e51
--- /dev/null
+++ b/package/madwifi/patches/316-skb_checks.patch
@@ -0,0 +1,61 @@
+Index: madwifi-dfs-r3252/net80211/ieee80211_input.c
+===================================================================
+--- madwifi-dfs-r3252.orig/net80211/ieee80211_input.c	2008-01-26 05:14:46.815962139 +0100
++++ madwifi-dfs-r3252/net80211/ieee80211_input.c	2008-01-26 05:18:37.005079863 +0100
+@@ -740,8 +740,10 @@
+ 
+ 			skb1 = skb_copy(skb, GFP_ATOMIC);
+ 			/* Increment reference count after copy */
+-			if (skb1 != NULL)
+-				ieee80211_skb_copy_noderef(skb, skb1);
++			if (skb1 == NULL)
++				goto err;
++
++			ieee80211_skb_copy_noderef(skb, skb1);
+ 
+ 			/* we now have 802.3 MAC hdr followed by 802.2 LLC/SNAP; convert to EthernetII.
+ 			 * Note that the frame is at least IEEE80211_MIN_LEN, due to the driver code. */
+@@ -1055,9 +1057,11 @@
+ 				 * assemble fragments
+ 				 */
+ 				ni->ni_rxfrag = skb_copy(skb, GFP_ATOMIC);
+-				/* We duplicate the reference after skb_copy */
+-				ieee80211_skb_copy_noderef(skb, ni->ni_rxfrag);
+-				ieee80211_dev_kfree_skb(&skb);
++				if (ni->ni_rxfrag) {
++					/* We duplicate the reference after skb_copy */
++					ieee80211_skb_copy_noderef(skb, ni->ni_rxfrag);
++					ieee80211_dev_kfree_skb(&skb);
++				}
+ 			}
+ 			/*
+ 			 * Check that we have enough space to hold
+@@ -1071,7 +1075,7 @@
+ 					(skb_end_pointer(skb) - skb->head),
+ 					GFP_ATOMIC);
+ 				/* We duplicate the reference after skb_copy */
+-				if (skb != ni->ni_rxfrag)
++				if ((skb != ni->ni_rxfrag) && ni->ni_rxfrag)
+ 					ieee80211_skb_copy_noderef(skb, ni->ni_rxfrag);
+ 				ieee80211_dev_kfree_skb(&skb);
+ 			}
+@@ -1134,7 +1138,8 @@
+ 		if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
+ 			skb1 = skb_copy(skb, GFP_ATOMIC);
+ 			/* Use the BSS node for retransmitting this multicast frame */
+-			SKB_CB(skb1)->ni = ieee80211_ref_node(vap->iv_bss);
++			if (skb1)
++				SKB_CB(skb1)->ni = ieee80211_ref_node(vap->iv_bss);
+ 		}
+ 		else {
+ 			/*
+@@ -1277,6 +1282,9 @@
+ 
+ 		/* XXX: does this always work? */
+ 		tskb = skb_copy(skb, GFP_ATOMIC);
++		if (!tskb)
++			return skb;
++
+ 		/* We duplicate the reference after skb_copy */
+ 		ieee80211_skb_copy_noderef(skb, tskb);
+ 		ieee80211_dev_kfree_skb(&skb);
-- 
2.30.2