diff options
author | Johannes Berg <johannes@sipsolutions.net> | 2009-10-31 02:40:37 -0400 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2009-11-02 15:14:07 -0500 |
commit | 7400f42e9d765fa0656b432f3ab1245f9710f190 (patch) | |
tree | 0ed7c06fb44c0c2b966755c2a0264827b7e100f3 /net | |
parent | e9024a059f2c17fb2bfab212ee9d31511d7b8e57 (diff) |
cfg80211: fix NULL ptr deref
commit 211a4d12abf86fe0df4cd68fc6327cbb58f56f81
Author: Johannes Berg <johannes@sipsolutions.net>
Date: Tue Oct 20 15:08:53 2009 +0900
cfg80211: sme: deauthenticate on assoc failure
introduced a potential NULL pointer dereference that
some people have been hitting for some reason -- the
params.bssid pointer is not guaranteed to be non-NULL
for what seems to be a race between various ways of
reaching the same thing.
While I'm trying to analyse the problem more let's
first fix the crash. I think the real fix may be to
avoid doing _anything_ if it ended up being NULL, but
right now I'm not sure yet.
I think
http://bugzilla.kernel.org/show_bug.cgi?id=14342
might also be this issue.
Reported-by: Parag Warudkar <parag.lkml@gmail.com>
Tested-by: Parag Warudkar <parag.lkml@gmail.com>
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'net')
-rw-r--r-- | net/wireless/sme.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/net/wireless/sme.c b/net/wireless/sme.c index ece378d531ef..9f0b2800a9d7 100644 --- a/net/wireless/sme.c +++ b/net/wireless/sme.c | |||
@@ -165,7 +165,7 @@ void cfg80211_conn_work(struct work_struct *work) | |||
165 | struct cfg80211_registered_device *rdev = | 165 | struct cfg80211_registered_device *rdev = |
166 | container_of(work, struct cfg80211_registered_device, conn_work); | 166 | container_of(work, struct cfg80211_registered_device, conn_work); |
167 | struct wireless_dev *wdev; | 167 | struct wireless_dev *wdev; |
168 | u8 bssid[ETH_ALEN]; | 168 | u8 bssid_buf[ETH_ALEN], *bssid = NULL; |
169 | 169 | ||
170 | rtnl_lock(); | 170 | rtnl_lock(); |
171 | cfg80211_lock_rdev(rdev); | 171 | cfg80211_lock_rdev(rdev); |
@@ -181,7 +181,10 @@ void cfg80211_conn_work(struct work_struct *work) | |||
181 | wdev_unlock(wdev); | 181 | wdev_unlock(wdev); |
182 | continue; | 182 | continue; |
183 | } | 183 | } |
184 | memcpy(bssid, wdev->conn->params.bssid, ETH_ALEN); | 184 | if (wdev->conn->params.bssid) { |
185 | memcpy(bssid_buf, wdev->conn->params.bssid, ETH_ALEN); | ||
186 | bssid = bssid_buf; | ||
187 | } | ||
185 | if (cfg80211_conn_do_work(wdev)) | 188 | if (cfg80211_conn_do_work(wdev)) |
186 | __cfg80211_connect_result( | 189 | __cfg80211_connect_result( |
187 | wdev->netdev, bssid, | 190 | wdev->netdev, bssid, |