[PATCH] wifi: ipw2x00: Fix potential NULL crypt->ops dereference in libipw_xmit()

Next message: luoxuanqiang: "Re: [PATCH bpf-next v1] bpf: Use hlist_nulls_replace_rcu() when updating htab elements"
Previous message: Claudiu Beznea: "Re: [PATCH 9/9] arm64: dts: renesas: rzg3s-smarc-som: Enable I3C"
Next in thread: Johannes Berg: "Re: [PATCH] wifi: ipw2x00: Fix potential NULL crypt-&gt;ops dereference in libipw_xmit()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Nikolay Kuratov

Date: Wed May 27 2026 - 05:10:24 EST

crypt and crypt->ops could be null, so we need to checking null
before dereference

Previously the commit
e8366bbabe1d ("ipw2x00: Fix potential NULL dereference in libipw_xmit()")
partially fixed that same issue in libipw_xmit().
This is similar to CVE-2022-49544.

Found by Svace static analysis tool.

Cc: stable@xxxxxxxxxxxxxxx
Fixes: 1264fc0498e1e ("[PATCH] ieee80211: Fix TKIP, repeated fragmentation problem, and payload_size reporting")
Signed-off-by: Nikolay Kuratov <kniv@xxxxxxxxxxxxxx>
---
drivers/net/wireless/intel/ipw2x00/libipw_tx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/intel/ipw2x00/libipw_tx.c b/drivers/net/wireless/intel/ipw2x00/libipw_tx.c
index 6e16060834b8..ec455e680030 100644
--- a/drivers/net/wireless/intel/ipw2x00/libipw_tx.c
+++ b/drivers/net/wireless/intel/ipw2x00/libipw_tx.c
@@ -450,7 +450,7 @@ netdev_tx_t libipw_xmit(struct sk_buff *skb, struct net_device *dev)
for (; i < nr_frags; i++) {
skb_frag = txb->fragments[i];

- if (host_encrypt)
+ if (host_encrypt && crypt && crypt->ops)
skb_reserve(skb_frag,
crypt->ops->extra_mpdu_prefix_len);

--
2.34.1