diff options
author | Tim Harvey <harvey.tim@gmail.com> | 2010-12-09 13:43:13 -0500 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2010-12-13 14:53:46 -0500 |
commit | c926d006c1514cfb3572893f41f2324e96823661 (patch) | |
tree | b76f1ac5f172f7a5ee47da767cdc31bd4e164e32 /net/mac80211/ibss.c | |
parent | 4a55d5852adbe66722fb1636c82c7864cd5be441 (diff) |
mac80211: Fix NULL-pointer deference on ibss merge when not ready
dev_open will eventually call ieee80211_ibss_join which sets up the
skb used for beacons/probe-responses however it is possible to
receive beacons that attempt to merge before this occurs causing
a null pointer dereference. Check ssid_len as that is the last
thing set in ieee80211_ibss_join.
This occurs quite easily in the presence of adhoc nodes with hidden SSID's
revised previous patch to check further up based on irc feedback
Signed-off-by: Tim Harvey <harvey.tim@gmail.com>
Reviewed-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'net/mac80211/ibss.c')
-rw-r--r-- | net/mac80211/ibss.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c index 239c4836a946..077a93dd1671 100644 --- a/net/mac80211/ibss.c +++ b/net/mac80211/ibss.c | |||
@@ -780,6 +780,9 @@ void ieee80211_ibss_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata, | |||
780 | 780 | ||
781 | mutex_lock(&sdata->u.ibss.mtx); | 781 | mutex_lock(&sdata->u.ibss.mtx); |
782 | 782 | ||
783 | if (!sdata->u.ibss.ssid_len) | ||
784 | goto mgmt_out; /* not ready to merge yet */ | ||
785 | |||
783 | switch (fc & IEEE80211_FCTL_STYPE) { | 786 | switch (fc & IEEE80211_FCTL_STYPE) { |
784 | case IEEE80211_STYPE_PROBE_REQ: | 787 | case IEEE80211_STYPE_PROBE_REQ: |
785 | ieee80211_rx_mgmt_probe_req(sdata, mgmt, skb->len); | 788 | ieee80211_rx_mgmt_probe_req(sdata, mgmt, skb->len); |
@@ -797,6 +800,7 @@ void ieee80211_ibss_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata, | |||
797 | break; | 800 | break; |
798 | } | 801 | } |
799 | 802 | ||
803 | mgmt_out: | ||
800 | mutex_unlock(&sdata->u.ibss.mtx); | 804 | mutex_unlock(&sdata->u.ibss.mtx); |
801 | } | 805 | } |
802 | 806 | ||