diff options
| author | Johannes Berg <johannes.berg@intel.com> | 2012-11-28 19:25:20 -0500 |
|---|---|---|
| committer | Johannes Berg <johannes.berg@intel.com> | 2012-11-30 07:42:20 -0500 |
| commit | 9caf03640279e64d0ba36539b42daa1b43a49486 (patch) | |
| tree | cb094a4a577f61421d1b402e16f0e68f151d5726 /net/wireless/util.c | |
| parent | b9a9ada14aab17f08c1d9735601f1097cdcfc6de (diff) | |
cfg80211: fix BSS struct IE access races
When a BSS struct is updated, the IEs are currently
overwritten or freed. This can lead to races if some
other CPU is accessing the BSS struct and using the
IEs concurrently.
Fix this by always allocating the IEs in a new struct
that holds the data and length and protecting access
to this new struct with RCU.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'net/wireless/util.c')
| -rw-r--r-- | net/wireless/util.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/net/wireless/util.c b/net/wireless/util.c index 3cce6e48621..16d76a807c2 100644 --- a/net/wireless/util.c +++ b/net/wireless/util.c | |||
| @@ -688,10 +688,13 @@ EXPORT_SYMBOL(cfg80211_classify8021d); | |||
| 688 | 688 | ||
| 689 | const u8 *ieee80211_bss_get_ie(struct cfg80211_bss *bss, u8 ie) | 689 | const u8 *ieee80211_bss_get_ie(struct cfg80211_bss *bss, u8 ie) |
| 690 | { | 690 | { |
| 691 | if (bss->information_elements == NULL) | 691 | const struct cfg80211_bss_ies *ies; |
| 692 | |||
| 693 | ies = rcu_dereference(bss->ies); | ||
| 694 | if (!ies) | ||
| 692 | return NULL; | 695 | return NULL; |
| 693 | return cfg80211_find_ie(ie, bss->information_elements, | 696 | |
| 694 | bss->len_information_elements); | 697 | return cfg80211_find_ie(ie, ies->data, ies->len); |
| 695 | } | 698 | } |
| 696 | EXPORT_SYMBOL(ieee80211_bss_get_ie); | 699 | EXPORT_SYMBOL(ieee80211_bss_get_ie); |
| 697 | 700 | ||