[PATCH v3] mac80211: Fix NULL-pointer deference on ibss merge when not ready

linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Tim Harvey <harvey.tim@gmail.com>
To: linux-wireless@vger.kernel.org
Cc: Tim Harvey <harvey.tim@gmail.com>
Subject: [PATCH v3] mac80211: Fix NULL-pointer deference on ibss merge when not ready
Date: Thu,  9 Dec 2010 10:43:13 -0800	[thread overview]
Message-ID: <1291920193-28228-1-git-send-email-harvey.tim@gmail.com> (raw)

dev_open will eventually call ieee80211_ibss_join which sets up the
skb used for beacons/probe-responses however it is possible to
receive beacons that attempt to merge before this occurs causing
a null pointer dereference.  Check ssid_len as that is the last
thing set in ieee80211_ibss_join.

This occurs quite easily in the presence of adhoc nodes with hidden SSID's

revised previous patch to check further up based on irc feedback

Signed-off-by: Tim Harvey <harvey.tim@gmail.com>
---
 net/mac80211/ibss.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
index 410d104..53c7077 100644
--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -780,6 +780,9 @@ void ieee80211_ibss_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
 
 	mutex_lock(&sdata->u.ibss.mtx);
 
+	if (!sdata->u.ibss.ssid_len)
+		goto mgmt_out; /* not ready to merge yet */
+
 	switch (fc & IEEE80211_FCTL_STYPE) {
 	case IEEE80211_STYPE_PROBE_REQ:
 		ieee80211_rx_mgmt_probe_req(sdata, mgmt, skb->len);
@@ -797,6 +800,7 @@ void ieee80211_ibss_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
 		break;
 	}
 
+ mgmt_out:
 	mutex_unlock(&sdata->u.ibss.mtx);
 }
 
-- 
1.7.0.4

next             reply	other threads:[~2010-12-09 18:43 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-12-09 18:43 Tim Harvey [this message]
2010-12-09 19:23 ` [PATCH v3] mac80211: Fix NULL-pointer deference on ibss merge when not ready Johannes Berg

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:410d104 dfblob:53c7077 )
 OR (
bs:"[PATCH v3] mac80211: Fix NULL-pointer deference on ibss merge when not ready" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1291920193-28228-1-git-send-email-harvey.tim@gmail.com \
    --to=harvey.tim@gmail.com \
    --cc=linux-wireless@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).