diff options
| author | Johannes Berg <johannes@sipsolutions.net> | 2009-07-10 05:39:26 -0400 |
|---|---|---|
| committer | John W. Linville <linville@tuxdriver.com> | 2009-07-24 15:05:10 -0400 |
| commit | a43816df2a1a61effcb701037bdf63621d066182 (patch) | |
| tree | 33346bbbb1621dfc7966c2f4ad8b1a76f4145d18 | |
| parent | ec3f149017ef3fd21343b1dcec3589eec6ba5dd5 (diff) | |
mac80211: mesh: fix two small problems
1) there's a spin_lock() that needs to be spin_lock_bh()
2) action frames of size 24 might cause an out-of-bounds
memory access (for the 25th byte only, so no big deal)
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
| -rw-r--r-- | net/mac80211/mesh.c | 5 | ||||
| -rw-r--r-- | net/mac80211/mesh_hwmp.c | 6 |
2 files changed, 7 insertions, 4 deletions
diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c index 542ea025494e..8a97b1423088 100644 --- a/net/mac80211/mesh.c +++ b/net/mac80211/mesh.c | |||
| @@ -685,9 +685,12 @@ ieee80211_mesh_rx_mgmt(struct ieee80211_sub_if_data *sdata, struct sk_buff *skb) | |||
| 685 | fc = le16_to_cpu(mgmt->frame_control); | 685 | fc = le16_to_cpu(mgmt->frame_control); |
| 686 | 686 | ||
| 687 | switch (fc & IEEE80211_FCTL_STYPE) { | 687 | switch (fc & IEEE80211_FCTL_STYPE) { |
| 688 | case IEEE80211_STYPE_ACTION: | ||
| 689 | if (skb->len < IEEE80211_MIN_ACTION_SIZE) | ||
| 690 | return RX_DROP_MONITOR; | ||
| 691 | /* fall through */ | ||
| 688 | case IEEE80211_STYPE_PROBE_RESP: | 692 | case IEEE80211_STYPE_PROBE_RESP: |
| 689 | case IEEE80211_STYPE_BEACON: | 693 | case IEEE80211_STYPE_BEACON: |
| 690 | case IEEE80211_STYPE_ACTION: | ||
| 691 | skb_queue_tail(&ifmsh->skb_queue, skb); | 694 | skb_queue_tail(&ifmsh->skb_queue, skb); |
| 692 | queue_work(local->hw.workqueue, &ifmsh->work); | 695 | queue_work(local->hw.workqueue, &ifmsh->work); |
| 693 | return RX_QUEUED; | 696 | return RX_QUEUED; |
diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c index f49ef288e2e2..8e86e910edfc 100644 --- a/net/mac80211/mesh_hwmp.c +++ b/net/mac80211/mesh_hwmp.c | |||
| @@ -686,11 +686,11 @@ void mesh_path_start_discovery(struct ieee80211_sub_if_data *sdata) | |||
| 686 | u8 ttl, dst_flags; | 686 | u8 ttl, dst_flags; |
| 687 | u32 lifetime; | 687 | u32 lifetime; |
| 688 | 688 | ||
| 689 | spin_lock(&ifmsh->mesh_preq_queue_lock); | 689 | spin_lock_bh(&ifmsh->mesh_preq_queue_lock); |
| 690 | if (!ifmsh->preq_queue_len || | 690 | if (!ifmsh->preq_queue_len || |
| 691 | time_before(jiffies, ifmsh->last_preq + | 691 | time_before(jiffies, ifmsh->last_preq + |
| 692 | min_preq_int_jiff(sdata))) { | 692 | min_preq_int_jiff(sdata))) { |
| 693 | spin_unlock(&ifmsh->mesh_preq_queue_lock); | 693 | spin_unlock_bh(&ifmsh->mesh_preq_queue_lock); |
| 694 | return; | 694 | return; |
| 695 | } | 695 | } |
| 696 | 696 | ||
| @@ -698,7 +698,7 @@ void mesh_path_start_discovery(struct ieee80211_sub_if_data *sdata) | |||
| 698 | struct mesh_preq_queue, list); | 698 | struct mesh_preq_queue, list); |
| 699 | list_del(&preq_node->list); | 699 | list_del(&preq_node->list); |
| 700 | --ifmsh->preq_queue_len; | 700 | --ifmsh->preq_queue_len; |
| 701 | spin_unlock(&ifmsh->mesh_preq_queue_lock); | 701 | spin_unlock_bh(&ifmsh->mesh_preq_queue_lock); |
| 702 | 702 | ||
| 703 | rcu_read_lock(); | 703 | rcu_read_lock(); |
| 704 | mpath = mesh_path_lookup(preq_node->dst, sdata); | 704 | mpath = mesh_path_lookup(preq_node->dst, sdata); |