diff options
| author | Bob Copeland <me@bobcopeland.com> | 2016-03-18 22:11:28 -0400 |
|---|---|---|
| committer | Johannes Berg <johannes.berg@intel.com> | 2016-04-05 15:34:50 -0400 |
| commit | 0aa7fabbd5d9da1f8a8fdc3e2837c532bcfa5664 (patch) | |
| tree | bb69412b2a94fe667a655be8ef40f974cb5fab9a | |
| parent | 749329594b5e0fb612b2de642a692323ddf661dd (diff) | |
mac80211: mesh: handle failed alloc for rmc cache
In the unlikely case that mesh_rmc_init() fails with -ENOMEM,
the rmc pointer will be left as NULL but the interface is still
operational because ieee80211_mesh_init_sdata() is not allowed
to fail.
If this happens, we would blindly dereference rmc when checking
whether a multicast frame is in the cache. Instead just drop the
frames in the forwarding path.
Signed-off-by: Bob Copeland <me@bobcopeland.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| -rw-r--r-- | net/mac80211/mesh.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c index a216c439b6f2..d0d8eeaa8129 100644 --- a/net/mac80211/mesh.c +++ b/net/mac80211/mesh.c | |||
| @@ -220,6 +220,9 @@ int mesh_rmc_check(struct ieee80211_sub_if_data *sdata, | |||
| 220 | u8 idx; | 220 | u8 idx; |
| 221 | struct rmc_entry *p, *n; | 221 | struct rmc_entry *p, *n; |
| 222 | 222 | ||
| 223 | if (!rmc) | ||
| 224 | return -1; | ||
| 225 | |||
| 223 | /* Don't care about endianness since only match matters */ | 226 | /* Don't care about endianness since only match matters */ |
| 224 | memcpy(&seqnum, &mesh_hdr->seqnum, sizeof(mesh_hdr->seqnum)); | 227 | memcpy(&seqnum, &mesh_hdr->seqnum, sizeof(mesh_hdr->seqnum)); |
| 225 | idx = le32_to_cpu(mesh_hdr->seqnum) & rmc->idx_mask; | 228 | idx = le32_to_cpu(mesh_hdr->seqnum) & rmc->idx_mask; |