Dan found a check from ath6kl_rx() which doesn't make any sense at all:
" 1327 if (status || !(skb->data + HTC_HDR_LENGTH)) {
^^^^^^^^^^^^^^^^^^^^^^^^^^
skb->data is a pointer. This pointer math is always going to be false.
Should it be testing "packet->act_len < HTC_HDR_LENGTH" or something?"
I don't know what the check really was supposed to do, but I think Dan's guess
is right. Fix it accordingly.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
__func__, ar, ept, skb, packet->buf,
packet->act_len, status);
- if (status || !(skb->data + HTC_HDR_LENGTH)) {
+ if (status || packet->act_len < HTC_HDR_LENGTH) {
dev_kfree_skb(skb);
return;
}