[PATCH] cfg80211: fix NULL ptr deref

linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] cfg80211: fix NULL ptr deref
@ 2009-10-31  6:40 Johannes Berg
  2009-10-31 13:35 ` Luis R. Rodriguez
  0 siblings, 1 reply; 4+ messages in thread
From: Johannes Berg @ 2009-10-31  6:40 UTC (permalink / raw)
  To: John Linville; +Cc: Parag Warudkar, linux-wireless

  commit 211a4d12abf86fe0df4cd68fc6327cbb58f56f81
  Author: Johannes Berg <johannes@sipsolutions.net>
  Date:   Tue Oct 20 15:08:53 2009 +0900

      cfg80211: sme: deauthenticate on assoc failure

introduced a potential NULL pointer dereference that
some people have been hitting for some reason -- the
params.bssid pointer is not guaranteed to be non-NULL
for what seems to be a race between various ways of
reaching the same thing.

While I'm trying to analyse the problem more let's
first fix the crash. I think the real fix may be to
avoid doing _anything_ if it ended up being NULL, but
right now I'm not sure yet.

I think
http://bugzilla.kernel.org/show_bug.cgi?id=14342
might also be this issue.

Reported-by: Parag Warudkar <parag.lkml@gmail.com>
Tested-by: Parag Warudkar <parag.lkml@gmail.com>
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
---
 net/wireless/sme.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- wireless-testing.orig/net/wireless/sme.c	2009-10-31 07:29:47.000000000 +0100
+++ wireless-testing/net/wireless/sme.c	2009-10-31 07:31:29.000000000 +0100
@@ -165,7 +165,7 @@ void cfg80211_conn_work(struct work_stru
 	struct cfg80211_registered_device *rdev =
 		container_of(work, struct cfg80211_registered_device, conn_work);
 	struct wireless_dev *wdev;
-	u8 bssid[ETH_ALEN];
+	u8 bssid_buf[ETH_ALEN], *bssid = NULL;
 
 	rtnl_lock();
 	cfg80211_lock_rdev(rdev);
@@ -181,7 +181,10 @@ void cfg80211_conn_work(struct work_stru
 			wdev_unlock(wdev);
 			continue;
 		}
-		memcpy(bssid, wdev->conn->params.bssid, ETH_ALEN);
+		if (wdev->conn->params.bssid) {
+			memcpy(bssid_buf, wdev->conn->params.bssid, ETH_ALEN);
+			bssid = bssid_buf;
+		}
 		if (cfg80211_conn_do_work(wdev))
 			__cfg80211_connect_result(
 					wdev->netdev, bssid,



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] cfg80211: fix NULL ptr deref
  2009-10-31  6:40 [PATCH] cfg80211: fix NULL ptr deref Johannes Berg
@ 2009-10-31 13:35 ` Luis R. Rodriguez
  2009-10-31 13:36   ` Johannes Berg
  0 siblings, 1 reply; 4+ messages in thread
From: Luis R. Rodriguez @ 2009-10-31 13:35 UTC (permalink / raw)
  To: Johannes Berg; +Cc: John Linville, Parag Warudkar, linux-wireless

On Fri, Oct 30, 2009 at 11:40 PM, Johannes Berg
<johannes@sipsolutions.net> wrote:
>  commit 211a4d12abf86fe0df4cd68fc6327cbb58f56f81
>  Author: Johannes Berg <johannes@sipsolutions.net>
>  Date:   Tue Oct 20 15:08:53 2009 +0900
>
>      cfg80211: sme: deauthenticate on assoc failure
>
> introduced a potential NULL pointer dereference that
> some people have been hitting for some reason -- the
> params.bssid pointer is not guaranteed to be non-NULL
> for what seems to be a race between various ways of
> reaching the same thing.
>
> While I'm trying to analyse the problem more let's
> first fix the crash. I think the real fix may be to
> avoid doing _anything_ if it ended up being NULL, but
> right now I'm not sure yet.
>
> I think
> http://bugzilla.kernel.org/show_bug.cgi?id=14342
> might also be this issue.
>
> Reported-by: Parag Warudkar <parag.lkml@gmail.com>
> Tested-by: Parag Warudkar <parag.lkml@gmail.com>
> Signed-off-by: Johannes Berg <johannes@sipsolutions.net>

Do we know if this will also affect 2.6.32?

  Luis

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] cfg80211: fix NULL ptr deref
  2009-10-31 13:35 ` Luis R. Rodriguez
@ 2009-10-31 13:36   ` Johannes Berg
  2009-10-31 13:40     ` Luis R. Rodriguez
  0 siblings, 1 reply; 4+ messages in thread
From: Johannes Berg @ 2009-10-31 13:36 UTC (permalink / raw)
  To: Luis R. Rodriguez; +Cc: John Linville, Parag Warudkar, linux-wireless

[-- Attachment #1: Type: text/plain, Size: 1268 bytes --]

On Sat, 2009-10-31 at 06:35 -0700, Luis R. Rodriguez wrote:
> On Fri, Oct 30, 2009 at 11:40 PM, Johannes Berg
> <johannes@sipsolutions.net> wrote:
> >  commit 211a4d12abf86fe0df4cd68fc6327cbb58f56f81
> >  Author: Johannes Berg <johannes@sipsolutions.net>
> >  Date:   Tue Oct 20 15:08:53 2009 +0900
> >
> >      cfg80211: sme: deauthenticate on assoc failure
> >
> > introduced a potential NULL pointer dereference that
> > some people have been hitting for some reason -- the
> > params.bssid pointer is not guaranteed to be non-NULL
> > for what seems to be a race between various ways of
> > reaching the same thing.
> >
> > While I'm trying to analyse the problem more let's
> > first fix the crash. I think the real fix may be to
> > avoid doing _anything_ if it ended up being NULL, but
> > right now I'm not sure yet.
> >
> > I think
> > http://bugzilla.kernel.org/show_bug.cgi?id=14342
> > might also be this issue.
> >
> > Reported-by: Parag Warudkar <parag.lkml@gmail.com>
> > Tested-by: Parag Warudkar <parag.lkml@gmail.com>
> > Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
> 
> Do we know if this will also affect 2.6.32?

I'm pretty sure -- have we got any changes to this code that are not
in .32?

johannes

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] cfg80211: fix NULL ptr deref
  2009-10-31 13:36   ` Johannes Berg
@ 2009-10-31 13:40     ` Luis R. Rodriguez
  0 siblings, 0 replies; 4+ messages in thread
From: Luis R. Rodriguez @ 2009-10-31 13:40 UTC (permalink / raw)
  To: Johannes Berg; +Cc: John Linville, Parag Warudkar, linux-wireless

On Sat, Oct 31, 2009 at 6:36 AM, Johannes Berg
<johannes@sipsolutions.net> wrote:
> On Sat, 2009-10-31 at 06:35 -0700, Luis R. Rodriguez wrote:
>> On Fri, Oct 30, 2009 at 11:40 PM, Johannes Berg
>> <johannes@sipsolutions.net> wrote:
>> >  commit 211a4d12abf86fe0df4cd68fc6327cbb58f56f81
>> >  Author: Johannes Berg <johannes@sipsolutions.net>
>> >  Date:   Tue Oct 20 15:08:53 2009 +0900
>> >
>> >      cfg80211: sme: deauthenticate on assoc failure
>> >
>> > introduced a potential NULL pointer dereference that
>> > some people have been hitting for some reason -- the
>> > params.bssid pointer is not guaranteed to be non-NULL
>> > for what seems to be a race between various ways of
>> > reaching the same thing.
>> >
>> > While I'm trying to analyse the problem more let's
>> > first fix the crash. I think the real fix may be to
>> > avoid doing _anything_ if it ended up being NULL, but
>> > right now I'm not sure yet.
>> >
>> > I think
>> > http://bugzilla.kernel.org/show_bug.cgi?id=14342
>> > might also be this issue.
>> >
>> > Reported-by: Parag Warudkar <parag.lkml@gmail.com>
>> > Tested-by: Parag Warudkar <parag.lkml@gmail.com>
>> > Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
>>
>> Do we know if this will also affect 2.6.32?
>
> I'm pretty sure -- have we got any changes to this code that are not
> in .32?

Not sure, I just wanted to make sure we fix .32 as well, that's all.

  Luis

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2009-10-31 13:40 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-10-31  6:40 [PATCH] cfg80211: fix NULL ptr deref Johannes Berg
2009-10-31 13:35 ` Luis R. Rodriguez
2009-10-31 13:36   ` Johannes Berg
2009-10-31 13:40     ` Luis R. Rodriguez

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).