aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJohannes Berg <johannes@sipsolutions.net>2009-11-20 03:15:51 -0500
committerJohn W. Linville <linville@tuxdriver.com>2009-11-30 13:52:21 -0500
commit4253119acf412fd686ef4bd8749b5a4d70ea3a51 (patch)
tree44dc3e4ea5a6c2eb21a0e0c04de1c04e1662549d
parent3e9848403ad59c53b31facb30b43ca80135ae0b9 (diff)
mac80211: fix two remote exploits
Lennert Buytenhek noticed a remotely triggerable problem in mac80211, which is due to some code shuffling I did that ended up changing the order in which things were done -- this was in commit d75636ef9c1af224f1097941879d5a8db7cd04e5 Author: Johannes Berg <johannes@sipsolutions.net> Date: Tue Feb 10 21:25:53 2009 +0100 mac80211: RX aggregation: clean up stop session The problem is that the BUG_ON moved before the various checks, and as such can be triggered. As the comment indicates, the BUG_ON can be removed since the ampdu_action callback must already exist when the state is OPERATIONAL. A similar code path leads to a WARN_ON in ieee80211_stop_tx_ba_session, which can also be removed. Cc: stable@kernel.org [2.6.29+] Cc: Lennert Buytenhek <buytenh@marvell.com> Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r--net/mac80211/agg-rx.c4
-rw-r--r--net/mac80211/agg-tx.c2
2 files changed, 1 insertions, 5 deletions
diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c
index bc064d7933ff..ce8e0e772bab 100644
--- a/net/mac80211/agg-rx.c
+++ b/net/mac80211/agg-rx.c
@@ -85,10 +85,6 @@ void ieee80211_sta_stop_rx_ba_session(struct ieee80211_sub_if_data *sdata, u8 *r
85 struct ieee80211_local *local = sdata->local; 85 struct ieee80211_local *local = sdata->local;
86 struct sta_info *sta; 86 struct sta_info *sta;
87 87
88 /* stop HW Rx aggregation. ampdu_action existence
89 * already verified in session init so we add the BUG_ON */
90 BUG_ON(!local->ops->ampdu_action);
91
92 rcu_read_lock(); 88 rcu_read_lock();
93 89
94 sta = sta_info_get(local, ra); 90 sta = sta_info_get(local, ra);
diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c
index 206fd82f0c76..63224d1ee8dd 100644
--- a/net/mac80211/agg-tx.c
+++ b/net/mac80211/agg-tx.c
@@ -545,7 +545,7 @@ int ieee80211_stop_tx_ba_session(struct ieee80211_hw *hw,
545 struct sta_info *sta; 545 struct sta_info *sta;
546 int ret = 0; 546 int ret = 0;
547 547
548 if (WARN_ON(!local->ops->ampdu_action)) 548 if (!local->ops->ampdu_action)
549 return -EINVAL; 549 return -EINVAL;
550 550
551 if (tid >= STA_TID_NUM) 551 if (tid >= STA_TID_NUM)