Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6

Conflicts: drivers/net/sfc/net_driver.h drivers/net/sfc/siena.c
author: David S. Miller <davem@davemloft.net> 2010-06-06 17:42:02 -0700
committer: David S. Miller <davem@davemloft.net> 2010-06-06 17:42:02 -0700
commit: eedc765ca4b19a41cf0b921a492ac08d640060d1 (patch)
tree: 95c566c6238cc953e1e336115d2daafe8bcb388f /net/mac80211/rx.c
parent: e59d44df46edaafb6b637e98d046775524b31104 (diff)
parent: 024a07bacf8287a6ddfa83e9d5b951c5e8b4070e (diff)
1 files changed, 11 insertions, 2 deletions
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 2d9a2ee94e17..dd232061e4c4 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -1818,17 +1818,26 @@ ieee80211_rx_h_ctrl(struct ieee80211_rx_data *rx, struct sk_buff_head *frames)
 		return RX_CONTINUE;
 
 	if (ieee80211_is_back_req(bar->frame_control)) {
+		struct {
+			__le16 control, start_seq_num;
+		} __packed bar_data;
+
 		if (!rx->sta)
 			return RX_DROP_MONITOR;
+
+		if (skb_copy_bits(skb, offsetof(struct ieee80211_bar, control),
+				  &bar_data, sizeof(bar_data)))
+			return RX_DROP_MONITOR;
+
 		spin_lock(&rx->sta->lock);
-		tid = le16_to_cpu(bar->control) >> 12;
+		tid = le16_to_cpu(bar_data.control) >> 12;
 		if (!rx->sta->ampdu_mlme.tid_active_rx[tid]) {
 			spin_unlock(&rx->sta->lock);
 			return RX_DROP_MONITOR;
 		}
 		tid_agg_rx = rx->sta->ampdu_mlme.tid_rx[tid];
 
-		start_seq_num = le16_to_cpu(bar->start_seq_num) >> 4;
+		start_seq_num = le16_to_cpu(bar_data.start_seq_num) >> 4;
 
 		/* reset session timer */
 		if (tid_agg_rx->timeout)
author	David S. Miller <davem@davemloft.net>	2010-06-06 17:42:02 -0700
committer	David S. Miller <davem@davemloft.net>	2010-06-06 17:42:02 -0700
commit	eedc765ca4b19a41cf0b921a492ac08d640060d1 (patch)
tree	95c566c6238cc953e1e336115d2daafe8bcb388f /net/mac80211/rx.c
parent	e59d44df46edaafb6b637e98d046775524b31104 (diff)
parent	024a07bacf8287a6ddfa83e9d5b951c5e8b4070e (diff)