aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSenthil Balasubramanian <senthilkumar@atheros.com>2008-05-28 10:38:12 -0400
committerJohn W. Linville <linville@tuxdriver.com>2008-05-28 16:43:49 -0400
commit70d251b24c44ab2fcba1807a5206e844cf10eb38 (patch)
tree37b16148cc305f874fcfaf0bd68e9463232061a8
parentf6d97104890203ba9c2cf8e34894c4c8e64cb880 (diff)
mac80211: Fix for NULL pointer dereference in sta_info_get()
This addresses a NULL pointer dereference in sta_info_get(). TID and sta_info are extracted in ADDBA Timer expiry function through the timer handler's argument. The problem is extracging the TID (which was stored in timer_to_tid[] array of type "u8") through "int *" typecast which may also yield unwanted bytes for the MSB of TID that results in incorrect sta_info and ieee80211_local pointers. ieee80211_local pointer is NULL as illustrated below, it crashes in sta_info_get(). The problem started when extracting ieee80211_local pointer out of sta_info iteself and eventually crashed in stat_info_get(). The proper way to fix is to change the data type of TID to u8 instead of u16. However changing all the occurences requires some prototype changes as well. We should fix this in upcoming patches. Signed-off-by: Senthil Balasubramanian <senthilkumar@atheros.com> Signed-off-by: Luis Rodriguez <lrodriguez@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r--net/mac80211/mlme.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index c29927c4977a..33a356e7b66f 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -1614,7 +1614,7 @@ void sta_addba_resp_timer_expired(unsigned long data)
1614 * only one argument, and both sta_info and TID are needed, so init 1614 * only one argument, and both sta_info and TID are needed, so init
1615 * flow in sta_info_create gives the TID as data, while the timer_to_id 1615 * flow in sta_info_create gives the TID as data, while the timer_to_id
1616 * array gives the sta through container_of */ 1616 * array gives the sta through container_of */
1617 u16 tid = *(int *)data; 1617 u16 tid = *(u8 *)data;
1618 struct sta_info *temp_sta = container_of((void *)data, 1618 struct sta_info *temp_sta = container_of((void *)data,
1619 struct sta_info, timer_to_tid[tid]); 1619 struct sta_info, timer_to_tid[tid]);
1620 1620
@@ -1662,7 +1662,7 @@ timer_expired_exit:
1662void sta_rx_agg_session_timer_expired(unsigned long data) 1662void sta_rx_agg_session_timer_expired(unsigned long data)
1663{ 1663{
1664 /* not an elegant detour, but there is no choice as the timer passes 1664 /* not an elegant detour, but there is no choice as the timer passes
1665 * only one argument, and verious sta_info are needed here, so init 1665 * only one argument, and various sta_info are needed here, so init
1666 * flow in sta_info_create gives the TID as data, while the timer_to_id 1666 * flow in sta_info_create gives the TID as data, while the timer_to_id
1667 * array gives the sta through container_of */ 1667 * array gives the sta through container_of */
1668 u8 *ptid = (u8 *)data; 1668 u8 *ptid = (u8 *)data;