diff options
| author | Johannes Berg <johannes.berg@intel.com> | 2012-11-28 19:25:20 -0500 |
|---|---|---|
| committer | Johannes Berg <johannes.berg@intel.com> | 2012-11-30 07:42:20 -0500 |
| commit | 9caf03640279e64d0ba36539b42daa1b43a49486 (patch) | |
| tree | cb094a4a577f61421d1b402e16f0e68f151d5726 /net/wireless/sme.c | |
| parent | b9a9ada14aab17f08c1d9735601f1097cdcfc6de (diff) | |
cfg80211: fix BSS struct IE access races
When a BSS struct is updated, the IEs are currently
overwritten or freed. This can lead to races if some
other CPU is accessing the BSS struct and using the
IEs concurrently.
Fix this by always allocating the IEs in a new struct
that holds the data and length and protecting access
to this new struct with RCU.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'net/wireless/sme.c')
| -rw-r--r-- | net/wireless/sme.c | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/net/wireless/sme.c b/net/wireless/sme.c index c7490027237d..f2431e41a373 100644 --- a/net/wireless/sme.c +++ b/net/wireless/sme.c | |||
| @@ -417,7 +417,7 @@ void __cfg80211_connect_result(struct net_device *dev, const u8 *bssid, | |||
| 417 | struct cfg80211_bss *bss) | 417 | struct cfg80211_bss *bss) |
| 418 | { | 418 | { |
| 419 | struct wireless_dev *wdev = dev->ieee80211_ptr; | 419 | struct wireless_dev *wdev = dev->ieee80211_ptr; |
| 420 | u8 *country_ie; | 420 | const u8 *country_ie; |
| 421 | #ifdef CONFIG_CFG80211_WEXT | 421 | #ifdef CONFIG_CFG80211_WEXT |
| 422 | union iwreq_data wrqu; | 422 | union iwreq_data wrqu; |
| 423 | #endif | 423 | #endif |
| @@ -501,7 +501,15 @@ void __cfg80211_connect_result(struct net_device *dev, const u8 *bssid, | |||
| 501 | wdev->sme_state = CFG80211_SME_CONNECTED; | 501 | wdev->sme_state = CFG80211_SME_CONNECTED; |
| 502 | cfg80211_upload_connect_keys(wdev); | 502 | cfg80211_upload_connect_keys(wdev); |
| 503 | 503 | ||
| 504 | country_ie = (u8 *) ieee80211_bss_get_ie(bss, WLAN_EID_COUNTRY); | 504 | rcu_read_lock(); |
| 505 | country_ie = ieee80211_bss_get_ie(bss, WLAN_EID_COUNTRY); | ||
| 506 | if (!country_ie) { | ||
| 507 | rcu_read_unlock(); | ||
| 508 | return; | ||
| 509 | } | ||
| 510 | |||
| 511 | country_ie = kmemdup(country_ie, 2 + country_ie[1], GFP_ATOMIC); | ||
| 512 | rcu_read_unlock(); | ||
| 505 | 513 | ||
| 506 | if (!country_ie) | 514 | if (!country_ie) |
| 507 | return; | 515 | return; |
| @@ -515,6 +523,7 @@ void __cfg80211_connect_result(struct net_device *dev, const u8 *bssid, | |||
| 515 | bss->channel->band, | 523 | bss->channel->band, |
| 516 | country_ie + 2, | 524 | country_ie + 2, |
| 517 | country_ie[1]); | 525 | country_ie[1]); |
| 526 | kfree(country_ie); | ||
| 518 | } | 527 | } |
| 519 | 528 | ||
| 520 | void cfg80211_connect_result(struct net_device *dev, const u8 *bssid, | 529 | void cfg80211_connect_result(struct net_device *dev, const u8 *bssid, |