mac80211: fix possible null-pointer de-reference

This patch not only fixes a null-pointer de-reference that would be triggered by a PLINK_OPEN frame with mis- matching/incompatible mesh configuration, but also responds correctly to non-compatible PLINK_OPEN frames by generating a PLINK_CLOSE with the right reason code. The original bug was detected by smatch. ( http://repo.or.cz/w/smatch.git ) net/mac80211/mesh_plink.c +574 mesh_rx_plink_frame(168) error: we previously assumed 'sta' could be null. Cc: <stable@kernel.org> Reviewed-and-Tested-by: Steve deRosier <steve@cozybit.com> Reviewed-and-Tested-by: Javier Cardona <javier@cozybit.com> Acked-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: Christian Lamparter <chunkeey@googlemail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
author: Christian Lamparter <chunkeey@googlemail.com> 2010-10-08 16:27:07 -0400
committer: John W. Linville <linville@tuxdriver.com> 2010-10-11 15:04:20 -0400
commit: d12c74528e3065c90df70fbc06ec6ffd6e804738 (patch)
tree: 623743ffa8899178b4cb4cfe7c831918f6727e74 /net/mac80211
parent: 7109ca5c80a0bb94378ebd7f8bb6d00edb5e6fba (diff)
1 files changed, 14 insertions, 3 deletions
diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c
index ea13a80a476..1c91f0f3c30 100644
--- a/net/mac80211/mesh_plink.c
+++ b/net/mac80211/mesh_plink.c
@@ -412,7 +412,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
        enum plink_event event;
        enum plink_frame_type ftype;
        size_t baselen;
-        bool deactivated;
+        bool deactivated, matches_local = true;
        u8 ie_len;
        u8 *baseaddr;
        __le16 plid, llid, reason;
@@ -487,6 +487,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
        /* Now we will figure out the appropriate event... */
        event = PLINK_UNDEFINED;
        if (ftype != PLINK_CLOSE && (!mesh_matches_local(&elems, sdata))) {
+                matches_local = false;
                switch (ftype) {
                case PLINK_OPEN:
                        event = OPN_RJCT;
@@ -498,7 +499,15 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
                        /* avoid warning */
                        break;
                }
-                spin_lock_bh(&sta->lock);
+        }
+        if (!sta && !matches_local) {
+                rcu_read_unlock();
+                reason = cpu_to_le16(MESH_CAPABILITY_POLICY_VIOLATION);
+                llid = 0;
+                mesh_plink_frame_tx(sdata, PLINK_CLOSE, mgmt->sa, llid,
+                                    plid, reason);
+                return;
        } else if (!sta) {
                /* ftype == PLINK_OPEN */
                u32 rates;
@@ -522,7 +531,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
                }
                event = OPN_ACPT;
                spin_lock_bh(&sta->lock);
-        } else {
+        } else if (matches_local) {
                spin_lock_bh(&sta->lock);
                switch (ftype) {
                case PLINK_OPEN:
@@ -564,6 +573,8 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
                        rcu_read_unlock();
                        return;
                }
+        } else {
+                spin_lock_bh(&sta->lock);
        }
        mpl_dbg("Mesh plink (peer, state, llid, plid, event): %pM %s %d %d %d\n",
author	Christian Lamparter <chunkeey@googlemail.com>	2010-10-08 16:27:07 -0400
committer	John W. Linville <linville@tuxdriver.com>	2010-10-11 15:04:20 -0400
commit	d12c74528e3065c90df70fbc06ec6ffd6e804738 (patch)
tree	623743ffa8899178b4cb4cfe7c831918f6727e74 /net/mac80211
parent	7109ca5c80a0bb94378ebd7f8bb6d00edb5e6fba (diff)