diff options
author | Johannes Berg <johannes@sipsolutions.net> | 2009-11-20 03:15:51 -0500 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2009-11-30 13:52:21 -0500 |
commit | 4253119acf412fd686ef4bd8749b5a4d70ea3a51 (patch) | |
tree | 44dc3e4ea5a6c2eb21a0e0c04de1c04e1662549d | |
parent | 3e9848403ad59c53b31facb30b43ca80135ae0b9 (diff) |
mac80211: fix two remote exploits
Lennert Buytenhek noticed a remotely triggerable problem
in mac80211, which is due to some code shuffling I did
that ended up changing the order in which things were
done -- this was in
commit d75636ef9c1af224f1097941879d5a8db7cd04e5
Author: Johannes Berg <johannes@sipsolutions.net>
Date: Tue Feb 10 21:25:53 2009 +0100
mac80211: RX aggregation: clean up stop session
The problem is that the BUG_ON moved before the various
checks, and as such can be triggered.
As the comment indicates, the BUG_ON can be removed since
the ampdu_action callback must already exist when the
state is OPERATIONAL.
A similar code path leads to a WARN_ON in
ieee80211_stop_tx_ba_session, which can also be removed.
Cc: stable@kernel.org [2.6.29+]
Cc: Lennert Buytenhek <buytenh@marvell.com>
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r-- | net/mac80211/agg-rx.c | 4 | ||||
-rw-r--r-- | net/mac80211/agg-tx.c | 2 |
2 files changed, 1 insertions, 5 deletions
diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c index bc064d7933ff..ce8e0e772bab 100644 --- a/net/mac80211/agg-rx.c +++ b/net/mac80211/agg-rx.c | |||
@@ -85,10 +85,6 @@ void ieee80211_sta_stop_rx_ba_session(struct ieee80211_sub_if_data *sdata, u8 *r | |||
85 | struct ieee80211_local *local = sdata->local; | 85 | struct ieee80211_local *local = sdata->local; |
86 | struct sta_info *sta; | 86 | struct sta_info *sta; |
87 | 87 | ||
88 | /* stop HW Rx aggregation. ampdu_action existence | ||
89 | * already verified in session init so we add the BUG_ON */ | ||
90 | BUG_ON(!local->ops->ampdu_action); | ||
91 | |||
92 | rcu_read_lock(); | 88 | rcu_read_lock(); |
93 | 89 | ||
94 | sta = sta_info_get(local, ra); | 90 | sta = sta_info_get(local, ra); |
diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c index 206fd82f0c76..63224d1ee8dd 100644 --- a/net/mac80211/agg-tx.c +++ b/net/mac80211/agg-tx.c | |||
@@ -545,7 +545,7 @@ int ieee80211_stop_tx_ba_session(struct ieee80211_hw *hw, | |||
545 | struct sta_info *sta; | 545 | struct sta_info *sta; |
546 | int ret = 0; | 546 | int ret = 0; |
547 | 547 | ||
548 | if (WARN_ON(!local->ops->ampdu_action)) | 548 | if (!local->ops->ampdu_action) |
549 | return -EINVAL; | 549 | return -EINVAL; |
550 | 550 | ||
551 | if (tid >= STA_TID_NUM) | 551 | if (tid >= STA_TID_NUM) |