ClabureDB: Classified Bug-Reports Database

Project: Linux Kernel

Showing error 1885

User:	Jiri Slaby
Error type:	Invalid Pointer Dereference
Error type description:	A pointer which is invalid is being dereferenced
File location:	net/ieee80211/ieee80211_tx.c
Line in file:	402
Project:	Linux Kernel
Project version:	2.6.28
Tools:	Smatch (1.59)
Entered:	2013-09-11 08:47:26 UTC

Source:

372                        goto failed;
373                }
374                dev_kfree_skb_any(skb);
375                skb = skb_new;
376                bytes += crypt->ops->extra_msdu_prefix_len +
377                    crypt->ops->extra_msdu_postfix_len;
378                skb_pull(skb, hdr_len);
379        }
380
381        if (host_encrypt || ieee->host_open_frag) {
382                /* Determine fragmentation size based on destination (multicast
383                 * and broadcast are not fragmented) */
384                if (is_multicast_ether_addr(dest) ||
385                    is_broadcast_ether_addr(dest))
386                        frag_size = MAX_FRAG_THRESHOLD;
387                else
388                        frag_size = ieee->fts;
389
390                /* Determine amount of payload per fragment.  Regardless of if
391                 * this stack is providing the full 802.11 header, one will
392                 * eventually be affixed to this fragment -- so we must account
393                 * for it when determining the amount of payload space. */
394                bytes_per_frag = frag_size - hdr_len;
395                if (ieee->config &
396                    (CFG_IEEE80211_COMPUTE_FCS | CFG_IEEE80211_RESERVE_FCS))
397                        bytes_per_frag -= IEEE80211_FCS_LEN;
398
399                /* Each fragment may need to have room for encryptiong
400                 * pre/postfix */
401                if (host_encrypt)
402                        bytes_per_frag -= crypt->ops->extra_mpdu_prefix_len +
403                            crypt->ops->extra_mpdu_postfix_len;
404
405                /* Number of fragments is the total
406                 * bytes_per_frag / payload_per_fragment */
407                nr_frags = bytes / bytes_per_frag;
408                bytes_last_frag = bytes % bytes_per_frag;
409                if (bytes_last_frag)
410                        nr_frags++;
411                else
412                        bytes_last_frag = bytes_per_frag;

Show full sources