* [PATCH] ath9k: Fix a NULL pointer dereference in ath_rate_get
@ 2008-12-17 11:30 Jouni Malinen
2008-12-17 11:30 ` Johannes Berg
0 siblings, 1 reply; 6+ messages in thread
From: Jouni Malinen @ 2008-12-17 11:30 UTC (permalink / raw)
To: John W. Linville; +Cc: linux-wireless
It looks like mac80211 may try to send unicast frames to a STA that
does not have a STA entry. We need to make sure that that is caught in
the rate control code before dereferencing STA data.
Signed-off-by: Jouni Malinen <jouni.malinen@atheros.com>
---
drivers/net/wireless/ath9k/rc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- wireless-testing.orig/drivers/net/wireless/ath9k/rc.c 2008-12-17 12:37:50.000000000 +0200
+++ wireless-testing/drivers/net/wireless/ath9k/rc.c 2008-12-17 13:00:38.000000000 +0200
@@ -1498,7 +1498,8 @@ static void ath_get_rate(void *priv, str
__le16 fc = hdr->frame_control;
/* lowest rate for management and multicast/broadcast frames */
- if (!ieee80211_is_data(fc) || is_multicast_ether_addr(hdr->addr1)) {
+ if (!ieee80211_is_data(fc) || is_multicast_ether_addr(hdr->addr1) ||
+ !sta) {
tx_info->control.rates[0].idx = rate_lowest_index(sband, sta);
tx_info->control.rates[0].count =
is_multicast_ether_addr(hdr->addr1) ? 1 : ATH_MGT_TXMAXTRY;
--
Jouni Malinen PGP id EFC895FA
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] ath9k: Fix a NULL pointer dereference in ath_rate_get
2008-12-17 11:30 [PATCH] ath9k: Fix a NULL pointer dereference in ath_rate_get Jouni Malinen
@ 2008-12-17 11:30 ` Johannes Berg
2008-12-17 12:02 ` Jouni Malinen
0 siblings, 1 reply; 6+ messages in thread
From: Johannes Berg @ 2008-12-17 11:30 UTC (permalink / raw)
To: Jouni Malinen; +Cc: John W. Linville, linux-wireless
On Wed, 2008-12-17 at 13:30 +0200, Jouni Malinen wrote:
> It looks like mac80211 may try to send unicast frames to a STA that
> does not have a STA entry. We need to make sure that that is caught in
> the rate control code before dereferencing STA data.
This should only happen for injected packets, can you verify? OTOH, AP
mode obviously has injected packets (auth response, ...)
johannes
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] ath9k: Fix a NULL pointer dereference in ath_rate_get
2008-12-17 11:30 ` Johannes Berg
@ 2008-12-17 12:02 ` Jouni Malinen
2008-12-17 12:25 ` Christian Lamparter
0 siblings, 1 reply; 6+ messages in thread
From: Jouni Malinen @ 2008-12-17 12:02 UTC (permalink / raw)
To: Johannes Berg; +Cc: Jouni Malinen, John W. Linville, linux-wireless
On Wed, Dec 17, 2008 at 12:30:56PM +0100, Johannes Berg wrote:
> On Wed, 2008-12-17 at 13:30 +0200, Jouni Malinen wrote:
> > It looks like mac80211 may try to send unicast frames to a STA that
> > does not have a STA entry. We need to make sure that that is caught in
> > the rate control code before dereferencing STA data.
>
> This should only happen for injected packets, can you verify? OTOH, AP
> mode obviously has injected packets (auth response, ...)
I did not check what the exact frame was, but this was indeed in AP mode
and the frame was most likely from hostapd and as such, an injected
packet.
--
Jouni Malinen PGP id EFC895FA
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] ath9k: Fix a NULL pointer dereference in ath_rate_get
2008-12-17 12:25 ` Christian Lamparter
@ 2008-12-17 12:21 ` Johannes Berg
2008-12-17 13:02 ` Christian Lamparter
0 siblings, 1 reply; 6+ messages in thread
From: Johannes Berg @ 2008-12-17 12:21 UTC (permalink / raw)
To: Christian Lamparter
Cc: Jouni Malinen, Jouni Malinen, John W. Linville, linux-wireless
On Wed, 2008-12-17 at 13:25 +0100, Christian Lamparter wrote:
> hostapd: wlan1: STA XX:XX:XX:XX:0d IEEE 802.11: authenticated
> kernel: [ 3130.431067] ------------[ cut here ]------------
> kernel: [ 3130.431076] WARNING: at net/mac80211/rc80211_minstrel.c:69 minstrel_rate_init+0xb8/0x320 [mac80211]()
> kernel: [ 3130.431081] Modules linked in: p54usb p54pci p54common [...]
> kernel: [ 3130.431300] Pid: 16961, comm: hostapd2 Tainted: P 2.6.28-rc7-wl #3
> [ 3130.431305] Call Trace:
> [ 3130.431318] [<ffffffff802343c1>] warn_on_slowpath+0x51/0x75
> [ 3130.431329] [<ffffffff803d74b0>] rb_insert_color+0xba/0xe2
> [ 3130.431338] [<ffffffff802480ef>] __remove_hrtimer+0x7c/0x88
> [ 3130.431375] [<ffffffffa00bd30e>] minstrel_rate_init+0xb8/0x320 [mac80211]
> [ 3130.431417] [<ffffffffa00ae713>] ieee80211_add_station+0x145/0x17d [mac80211]
> hostapd: wlan1: STA XX:XX:XX:XX:0d IEEE 802.11: associated (aid 1, accounting session 494187DD-00000000)
> kernel: [ 3130.431440] [<ffffffffa00897af>] nl80211_new_station+0x1b3/0x20b [cfg80211]
> kernel: [ 3130.431450] [<ffffffff80595691>] mutex_lock+0xd/0x1e
> kernel: [ 3130.431459] [<ffffffff804f6f86>] nla_parse+0x4b/0xb2
>
> yup, the Warning just happend right between auth and assoc
This, umm, seems totally unrelated since Jouni was fixing something in
ath9k's RC algorithm.
johannes
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] ath9k: Fix a NULL pointer dereference in ath_rate_get
2008-12-17 12:02 ` Jouni Malinen
@ 2008-12-17 12:25 ` Christian Lamparter
2008-12-17 12:21 ` Johannes Berg
0 siblings, 1 reply; 6+ messages in thread
From: Christian Lamparter @ 2008-12-17 12:25 UTC (permalink / raw)
To: Jouni Malinen
Cc: Johannes Berg, Jouni Malinen, John W. Linville, linux-wireless
On Wednesday 17 December 2008 13:02:50 Jouni Malinen wrote:
> On Wed, Dec 17, 2008 at 12:30:56PM +0100, Johannes Berg wrote:
> > On Wed, 2008-12-17 at 13:30 +0200, Jouni Malinen wrote:
> > > It looks like mac80211 may try to send unicast frames to a STA that
> > > does not have a STA entry. We need to make sure that that is caught in
> > > the rate control code before dereferencing STA data.
> >
> > This should only happen for injected packets, can you verify? OTOH, AP
> > mode obviously has injected packets (auth response, ...)
>
> I did not check what the exact frame was, but this was indeed in AP mode
> and the frame was most likely from hostapd and as such, an injected
> packet.
>
hostapd: wlan1: STA XX:XX:XX:XX:0d IEEE 802.11: authenticated
kernel: [ 3130.431067] ------------[ cut here ]------------
kernel: [ 3130.431076] WARNING: at net/mac80211/rc80211_minstrel.c:69 minstrel_rate_init+0xb8/0x320 [mac80211]()
kernel: [ 3130.431081] Modules linked in: p54usb p54pci p54common [...]
kernel: [ 3130.431300] Pid: 16961, comm: hostapd2 Tainted: P 2.6.28-rc7-wl #3
[ 3130.431305] Call Trace:
[ 3130.431318] [<ffffffff802343c1>] warn_on_slowpath+0x51/0x75
[ 3130.431329] [<ffffffff803d74b0>] rb_insert_color+0xba/0xe2
[ 3130.431338] [<ffffffff802480ef>] __remove_hrtimer+0x7c/0x88
[ 3130.431375] [<ffffffffa00bd30e>] minstrel_rate_init+0xb8/0x320 [mac80211]
[ 3130.431417] [<ffffffffa00ae713>] ieee80211_add_station+0x145/0x17d [mac80211]
hostapd: wlan1: STA XX:XX:XX:XX:0d IEEE 802.11: associated (aid 1, accounting session 494187DD-00000000)
kernel: [ 3130.431440] [<ffffffffa00897af>] nl80211_new_station+0x1b3/0x20b [cfg80211]
kernel: [ 3130.431450] [<ffffffff80595691>] mutex_lock+0xd/0x1e
kernel: [ 3130.431459] [<ffffffff804f6f86>] nla_parse+0x4b/0xb2
yup, the Warning just happend right between auth and assoc
Regards,
Chr
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] ath9k: Fix a NULL pointer dereference in ath_rate_get
2008-12-17 12:21 ` Johannes Berg
@ 2008-12-17 13:02 ` Christian Lamparter
0 siblings, 0 replies; 6+ messages in thread
From: Christian Lamparter @ 2008-12-17 13:02 UTC (permalink / raw)
To: Johannes Berg
Cc: Jouni Malinen, Jouni Malinen, John W. Linville, linux-wireless
On Wednesday 17 December 2008 13:21:04 Johannes Berg wrote:
> On Wed, 2008-12-17 at 13:25 +0100, Christian Lamparter wrote:
>
> > hostapd: wlan1: STA XX:XX:XX:XX:0d IEEE 802.11: authenticated
> > kernel: [ 3130.431067] ------------[ cut here ]------------
> > kernel: [ 3130.431076] WARNING: at net/mac80211/rc80211_minstrel.c:69 minstrel_rate_init+0xb8/0x320 [mac80211]()
> > kernel: [ 3130.431081] Modules linked in: p54usb p54pci p54common [...]
> > kernel: [ 3130.431300] Pid: 16961, comm: hostapd2 Tainted: P 2.6.28-rc7-wl #3
> > [ 3130.431305] Call Trace:
> > [ 3130.431318] [<ffffffff802343c1>] warn_on_slowpath+0x51/0x75
> > [ 3130.431329] [<ffffffff803d74b0>] rb_insert_color+0xba/0xe2
> > [ 3130.431338] [<ffffffff802480ef>] __remove_hrtimer+0x7c/0x88
> > [ 3130.431375] [<ffffffffa00bd30e>] minstrel_rate_init+0xb8/0x320 [mac80211]
> > [ 3130.431417] [<ffffffffa00ae713>] ieee80211_add_station+0x145/0x17d [mac80211]
> > hostapd: wlan1: STA XX:XX:XX:XX:0d IEEE 802.11: associated (aid 1, accounting session 494187DD-00000000)
> > kernel: [ 3130.431440] [<ffffffffa00897af>] nl80211_new_station+0x1b3/0x20b [cfg80211]
> > kernel: [ 3130.431450] [<ffffffff80595691>] mutex_lock+0xd/0x1e
> > kernel: [ 3130.431459] [<ffffffff804f6f86>] nla_parse+0x4b/0xb2
> >
> > yup, the Warning just happend right between auth and assoc
>
> This, umm, seems totally unrelated since Jouni was fixing something in
> ath9k's RC algorithm.
>
hmm, I wanted to point out that not only ath9k's RC algorithm has problems with
uninitialized/dereferenced sta... as he said in his patch description:
"It looks like mac80211 may try to send unicast frames to a STA that does not have a STA entry. "
But if this is a unrelated problem... Sorry!!!
Regards,
Chr
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2008-12-17 13:02 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-12-17 11:30 [PATCH] ath9k: Fix a NULL pointer dereference in ath_rate_get Jouni Malinen
2008-12-17 11:30 ` Johannes Berg
2008-12-17 12:02 ` Jouni Malinen
2008-12-17 12:25 ` Christian Lamparter
2008-12-17 12:21 ` Johannes Berg
2008-12-17 13:02 ` Christian Lamparter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).