diff options
author | Senthil Balasubramanian <senthilkumar@atheros.com> | 2008-05-28 10:38:12 -0400 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2008-05-28 16:43:49 -0400 |
commit | 70d251b24c44ab2fcba1807a5206e844cf10eb38 (patch) | |
tree | 37b16148cc305f874fcfaf0bd68e9463232061a8 | |
parent | f6d97104890203ba9c2cf8e34894c4c8e64cb880 (diff) |
mac80211: Fix for NULL pointer dereference in sta_info_get()
This addresses a NULL pointer dereference in sta_info_get().
TID and sta_info are extracted in ADDBA Timer expiry function
through the timer handler's argument.
The problem is extracging the TID (which was stored in
timer_to_tid[] array of type "u8") through "int *" typecast which
may also yield unwanted bytes for the MSB of TID that results
in incorrect sta_info and ieee80211_local pointers.
ieee80211_local pointer is NULL as illustrated below, it crashes in
sta_info_get(). The problem started when extracting ieee80211_local
pointer out of sta_info iteself and eventually crashed in
stat_info_get().
The proper way to fix is to change the data type of TID to u8
instead of u16. However changing all the occurences requires
some prototype changes as well. We should fix this in upcoming
patches.
Signed-off-by: Senthil Balasubramanian <senthilkumar@atheros.com>
Signed-off-by: Luis Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r-- | net/mac80211/mlme.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c index c29927c4977a..33a356e7b66f 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c | |||
@@ -1614,7 +1614,7 @@ void sta_addba_resp_timer_expired(unsigned long data) | |||
1614 | * only one argument, and both sta_info and TID are needed, so init | 1614 | * only one argument, and both sta_info and TID are needed, so init |
1615 | * flow in sta_info_create gives the TID as data, while the timer_to_id | 1615 | * flow in sta_info_create gives the TID as data, while the timer_to_id |
1616 | * array gives the sta through container_of */ | 1616 | * array gives the sta through container_of */ |
1617 | u16 tid = *(int *)data; | 1617 | u16 tid = *(u8 *)data; |
1618 | struct sta_info *temp_sta = container_of((void *)data, | 1618 | struct sta_info *temp_sta = container_of((void *)data, |
1619 | struct sta_info, timer_to_tid[tid]); | 1619 | struct sta_info, timer_to_tid[tid]); |
1620 | 1620 | ||
@@ -1662,7 +1662,7 @@ timer_expired_exit: | |||
1662 | void sta_rx_agg_session_timer_expired(unsigned long data) | 1662 | void sta_rx_agg_session_timer_expired(unsigned long data) |
1663 | { | 1663 | { |
1664 | /* not an elegant detour, but there is no choice as the timer passes | 1664 | /* not an elegant detour, but there is no choice as the timer passes |
1665 | * only one argument, and verious sta_info are needed here, so init | 1665 | * only one argument, and various sta_info are needed here, so init |
1666 | * flow in sta_info_create gives the TID as data, while the timer_to_id | 1666 | * flow in sta_info_create gives the TID as data, while the timer_to_id |
1667 | * array gives the sta through container_of */ | 1667 | * array gives the sta through container_of */ |
1668 | u8 *ptid = (u8 *)data; | 1668 | u8 *ptid = (u8 *)data; |