aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorJohannes Berg <johannes@sipsolutions.net>2009-10-31 02:40:37 -0400
committerJohn W. Linville <linville@tuxdriver.com>2009-11-02 15:14:07 -0500
commit7400f42e9d765fa0656b432f3ab1245f9710f190 (patch)
tree0ed7c06fb44c0c2b966755c2a0264827b7e100f3 /net
parente9024a059f2c17fb2bfab212ee9d31511d7b8e57 (diff)
cfg80211: fix NULL ptr deref
commit 211a4d12abf86fe0df4cd68fc6327cbb58f56f81 Author: Johannes Berg <johannes@sipsolutions.net> Date: Tue Oct 20 15:08:53 2009 +0900 cfg80211: sme: deauthenticate on assoc failure introduced a potential NULL pointer dereference that some people have been hitting for some reason -- the params.bssid pointer is not guaranteed to be non-NULL for what seems to be a race between various ways of reaching the same thing. While I'm trying to analyse the problem more let's first fix the crash. I think the real fix may be to avoid doing _anything_ if it ended up being NULL, but right now I'm not sure yet. I think http://bugzilla.kernel.org/show_bug.cgi?id=14342 might also be this issue. Reported-by: Parag Warudkar <parag.lkml@gmail.com> Tested-by: Parag Warudkar <parag.lkml@gmail.com> Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'net')
-rw-r--r--net/wireless/sme.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/net/wireless/sme.c b/net/wireless/sme.c
index ece378d531ef..9f0b2800a9d7 100644
--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@@ -165,7 +165,7 @@ void cfg80211_conn_work(struct work_struct *work)
165 struct cfg80211_registered_device *rdev = 165 struct cfg80211_registered_device *rdev =
166 container_of(work, struct cfg80211_registered_device, conn_work); 166 container_of(work, struct cfg80211_registered_device, conn_work);
167 struct wireless_dev *wdev; 167 struct wireless_dev *wdev;
168 u8 bssid[ETH_ALEN]; 168 u8 bssid_buf[ETH_ALEN], *bssid = NULL;
169 169
170 rtnl_lock(); 170 rtnl_lock();
171 cfg80211_lock_rdev(rdev); 171 cfg80211_lock_rdev(rdev);
@@ -181,7 +181,10 @@ void cfg80211_conn_work(struct work_struct *work)
181 wdev_unlock(wdev); 181 wdev_unlock(wdev);
182 continue; 182 continue;
183 } 183 }
184 memcpy(bssid, wdev->conn->params.bssid, ETH_ALEN); 184 if (wdev->conn->params.bssid) {
185 memcpy(bssid_buf, wdev->conn->params.bssid, ETH_ALEN);
186 bssid = bssid_buf;
187 }
185 if (cfg80211_conn_do_work(wdev)) 188 if (cfg80211_conn_do_work(wdev))
186 __cfg80211_connect_result( 189 __cfg80211_connect_result(
187 wdev->netdev, bssid, 190 wdev->netdev, bssid,