aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJohannes Berg <johannes@sipsolutions.net>2009-04-23 05:48:56 -0400
committerJohn W. Linville <linville@tuxdriver.com>2009-05-06 15:14:29 -0400
commit0e41f715c04f85a40ae6531d660be2241717be1c (patch)
tree35e44d6a2d4de54ad6cfd5d7fe2b6348efad2c6a
parentc7ae011dc8306d982c25fb4f679752e790a08dc4 (diff)
mac80211: fix various problems in ibss code
There are a few problems in the IBSS code: a) it tries to activate interfaces that are down after scanning b) it crashes after scanning on an IBSS iface that isn't active c) since the ssid_len is used as a flag, need to make it visible only after all other settings are set, this helps protect against b) For b), we get a system crash: wlan0: Creating new IBSS network, BSSID ce:f9:88:76:1e:4d BUG: unable to handle kernel NULL pointer dereference at (null) IP: [<...>] ieee80211_sta_find_ibss+0x294/0x37d [mac80211] Call Trace: [<...>] ieee80211_ibss_notify_scan_completed+0x0/0x88 [mac80211] Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r--net/mac80211/ibss.c18
1 files changed, 15 insertions, 3 deletions
diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
index 6030e003180c..895f4854760c 100644
--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -786,8 +786,12 @@ void ieee80211_ibss_notify_scan_completed(struct ieee80211_local *local)
786 786
787 mutex_lock(&local->iflist_mtx); 787 mutex_lock(&local->iflist_mtx);
788 list_for_each_entry(sdata, &local->interfaces, list) { 788 list_for_each_entry(sdata, &local->interfaces, list) {
789 if (!netif_running(sdata->dev))
790 continue;
789 if (sdata->vif.type != NL80211_IFTYPE_ADHOC) 791 if (sdata->vif.type != NL80211_IFTYPE_ADHOC)
790 continue; 792 continue;
793 if (!sdata->u.ibss.ssid_len)
794 continue;
791 sdata->u.ibss.last_scan_completed = jiffies; 795 sdata->u.ibss.last_scan_completed = jiffies;
792 ieee80211_sta_find_ibss(sdata); 796 ieee80211_sta_find_ibss(sdata);
793 } 797 }
@@ -827,9 +831,6 @@ int ieee80211_ibss_join(struct ieee80211_sub_if_data *sdata,
827{ 831{
828 struct sk_buff *skb; 832 struct sk_buff *skb;
829 833
830 memcpy(sdata->u.ibss.ssid, params->ssid, IEEE80211_MAX_SSID_LEN);
831 sdata->u.ibss.ssid_len = params->ssid_len;
832
833 if (params->bssid) { 834 if (params->bssid) {
834 memcpy(sdata->u.ibss.bssid, params->bssid, ETH_ALEN); 835 memcpy(sdata->u.ibss.bssid, params->bssid, ETH_ALEN);
835 sdata->u.ibss.fixed_bssid = true; 836 sdata->u.ibss.fixed_bssid = true;
@@ -859,6 +860,17 @@ int ieee80211_ibss_join(struct ieee80211_sub_if_data *sdata,
859 sdata->u.ibss.state = IEEE80211_IBSS_MLME_SEARCH; 860 sdata->u.ibss.state = IEEE80211_IBSS_MLME_SEARCH;
860 sdata->u.ibss.ibss_join_req = jiffies; 861 sdata->u.ibss.ibss_join_req = jiffies;
861 862
863 memcpy(sdata->u.ibss.ssid, params->ssid, IEEE80211_MAX_SSID_LEN);
864
865 /*
866 * The ssid_len setting below is used to see whether
867 * we are active, and we need all other settings
868 * before that may get visible.
869 */
870 mb();
871
872 sdata->u.ibss.ssid_len = params->ssid_len;
873
862 set_bit(IEEE80211_IBSS_REQ_RUN, &sdata->u.ibss.request); 874 set_bit(IEEE80211_IBSS_REQ_RUN, &sdata->u.ibss.request);
863 queue_work(sdata->local->hw.workqueue, &sdata->u.ibss.work); 875 queue_work(sdata->local->hw.workqueue, &sdata->u.ibss.work);
864 876