[PATCH] mac80211: fix NULL dereference in radiotap code

Linux wireless drivers development
 help / color / mirror / Atom feed

* [PATCH] mac80211: fix NULL dereference in radiotap code
@ 2011-11-08 11:28 Johannes Berg
  0 siblings, 0 replies; only message in thread
From: Johannes Berg @ 2011-11-08 11:28 UTC (permalink / raw)
  To: John Linville; +Cc: Xiaokang Qin, linux-wireless

From: Johannes Berg <johannes.berg@intel.com>

When receiving failed PLCP frames is enabled, there
won't be a rate pointer when we add the radiotap
header and thus the kernel will crash. Fix this by
not assuming the rate pointer is always valid. It's
still always valid for frames that have good PLCP
though, and that is checked & enforced.

This was broken by my
commit fc88518916793af8ad6a02e05ff254d95c36d875
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Fri Jul 30 13:23:12 2010 +0200

    mac80211: don't check rates on PLCP error frames

where I removed the check in this case but didn't
take into account that the rate info would be used.

Reported-by: Xiaokang Qin <xiaokang.qin@intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
 net/mac80211/rx.c |    9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

--- a/net/mac80211/rx.c	2011-11-08 09:24:58.000000000 +0100
+++ b/net/mac80211/rx.c	2011-11-08 12:19:55.000000000 +0100
@@ -140,8 +140,9 @@ ieee80211_add_rx_radiotap_header(struct
 	pos++;
 
 	/* IEEE80211_RADIOTAP_RATE */
-	if (status->flag & RX_FLAG_HT) {
+	if (!rate || status->flag & RX_FLAG_HT) {
 		/*
+		 * Without rate information don't add it. If we have,
 		 * MCS information is a separate field in radiotap,
 		 * added below. The byte here is needed as padding
 		 * for the channel though, so initialise it to 0.
@@ -162,12 +163,14 @@ ieee80211_add_rx_radiotap_header(struct
 	else if (status->flag & RX_FLAG_HT)
 		put_unaligned_le16(IEEE80211_CHAN_DYN | IEEE80211_CHAN_2GHZ,
 				   pos);
-	else if (rate->flags & IEEE80211_RATE_ERP_G)
+	else if (rate && rate->flags & IEEE80211_RATE_ERP_G)
 		put_unaligned_le16(IEEE80211_CHAN_OFDM | IEEE80211_CHAN_2GHZ,
 				   pos);
-	else
+	else if (rate)
 		put_unaligned_le16(IEEE80211_CHAN_CCK | IEEE80211_CHAN_2GHZ,
 				   pos);
+	else
+		put_unaligned_le16(IEEE80211_CHAN_2GHZ, pos);
 	pos += 2;
 
 	/* IEEE80211_RADIOTAP_DBM_ANTSIGNAL */



^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2011-11-08 11:28 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-11-08 11:28 [PATCH] mac80211: fix NULL dereference in radiotap code Johannes Berg

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox