cfg80211: fix BSS struct IE access races

When a BSS struct is updated, the IEs are currently overwritten or freed. This can lead to races if some other CPU is accessing the BSS struct and using the IEs concurrently. Fix this by always allocating the IEs in a new struct that holds the data and length and protecting access to this new struct with RCU. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
author: Johannes Berg <johannes.berg@intel.com> 2012-11-28 19:25:20 -0500
committer: Johannes Berg <johannes.berg@intel.com> 2012-11-30 07:42:20 -0500
commit: 9caf03640279e64d0ba36539b42daa1b43a49486 (patch)
tree: cb094a4a577f61421d1b402e16f0e68f151d5726 /net/wireless/wext-sme.c
parent: b9a9ada14aab17f08c1d9735601f1097cdcfc6de (diff)
1 files changed, 6 insertions, 2 deletions
diff --git a/net/wireless/wext-sme.c b/net/wireless/wext-sme.c
index 873af63187c0..fb9622f6d99c 100644
--- a/net/wireless/wext-sme.c
+++ b/net/wireless/wext-sme.c
@@ -242,13 +242,17 @@ int cfg80211_mgd_wext_giwessid(struct net_device *dev,
        wdev_lock(wdev);
        if (wdev->current_bss) {
-                const u8 *ie = ieee80211_bss_get_ie(&wdev->current_bss->pub,
+                const u8 *ie;
-                                                    WLAN_EID_SSID);
+                rcu_read_lock();
+                ie = ieee80211_bss_get_ie(&wdev->current_bss->pub,
+                                          WLAN_EID_SSID);
                if (ie) {
                        data->flags = 1;
                        data->length = ie[1];
                        memcpy(ssid, ie + 2, data->length);
                }
+                rcu_read_unlock();
        } else if (wdev->wext.connect.ssid && wdev->wext.connect.ssid_len) {
                data->flags = 1;
                data->length = wdev->wext.connect.ssid_len;
author	Johannes Berg <johannes.berg@intel.com>	2012-11-28 19:25:20 -0500
committer	Johannes Berg <johannes.berg@intel.com>	2012-11-30 07:42:20 -0500
commit	9caf03640279e64d0ba36539b42daa1b43a49486 (patch)
tree	cb094a4a577f61421d1b402e16f0e68f151d5726 /net/wireless/wext-sme.c
parent	b9a9ada14aab17f08c1d9735601f1097cdcfc6de (diff)

diff --git a/net/wireless/wext-sme.c b/net/wireless/wext-sme.c index 873af63187c0..fb9622f6d99c 100644 --- a/net/wireless/wext-sme.c +++ b/net/wireless/wext-sme.c
@@ -242,13 +242,17 @@ int cfg80211_mgd_wext_giwessid(struct net_device *dev,
242		242
243	wdev_lock(wdev);	243	wdev_lock(wdev);
244	if (wdev->current_bss) {	244	if (wdev->current_bss) {
245	const u8 *ie = ieee80211_bss_get_ie(&wdev->current_bss->pub,	245	const u8 *ie;
246	WLAN_EID_SSID);	246
		247	rcu_read_lock();
		248	ie = ieee80211_bss_get_ie(&wdev->current_bss->pub,
		249	WLAN_EID_SSID);
247	if (ie) {	250	if (ie) {
248	data->flags = 1;	251	data->flags = 1;
249	data->length = ie[1];	252	data->length = ie[1];
250	memcpy(ssid, ie + 2, data->length);	253	memcpy(ssid, ie + 2, data->length);
251	}	254	}
		255	rcu_read_unlock();
252	} else if (wdev->wext.connect.ssid && wdev->wext.connect.ssid_len) {	256	} else if (wdev->wext.connect.ssid && wdev->wext.connect.ssid_len) {
253	data->flags = 1;	257	data->flags = 1;
254	data->length = wdev->wext.connect.ssid_len;	258	data->length = wdev->wext.connect.ssid_len;