commit 7400f42e9d765fa0656b432f3ab1245f9710f190 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

cfg80211: fix NULL ptr deref

commit 211a4d12abf86fe0df4cd68fc6327cbb58f56f81
Author: Johannes Berg <johannes@sipsolutions.net>
Date: Tue Oct 20 15:08:53 2009 +0900

cfg80211: sme: deauthenticate on assoc failure

introduced a potential NULL pointer dereference that
some people have been hitting for some reason -- the
params.bssid pointer is not guaranteed to be non-NULL
for what seems to be a race between various ways of
reaching the same thing.

While I'm trying to analyse the problem more let's
first fix the crash. I think the real fix may be to
avoid doing _anything_ if it ended up being NULL, but
right now I'm not sure yet.

I think
http://bugzilla.kernel.org/show_bug.cgi?id=14342
might also be this issue.

Reported-by: Parag Warudkar <parag.lkml@gmail.com>
Tested-by: Parag Warudkar <parag.lkml@gmail.com>
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

authored by Johannes Berg and committed by John W. Linville 16 years ago 7400f42e e9024a05

+5 -2

1 changed file

expand all

unified split

net

wireless

sme.c

+5 -2

net/wireless/sme.c

··· 165 struct cfg80211_registered_device *rdev = 166 container_of(work, struct cfg80211_registered_device, conn_work); 167 struct wireless_dev *wdev; 168 - u8 bssid[ETH_ALEN]; 169 170 rtnl_lock(); 171 cfg80211_lock_rdev(rdev); ··· 181 wdev_unlock(wdev); 182 continue; 183 } 184 - memcpy(bssid, wdev->conn->params.bssid, ETH_ALEN); 185 if (cfg80211_conn_do_work(wdev)) 186 __cfg80211_connect_result( 187 wdev->netdev, bssid,

··· 165 struct cfg80211_registered_device *rdev = 166 container_of(work, struct cfg80211_registered_device, conn_work); 167 struct wireless_dev *wdev; 168 + u8 bssid_buf[ETH_ALEN], *bssid = NULL; 169 170 rtnl_lock(); 171 cfg80211_lock_rdev(rdev); ··· 181 wdev_unlock(wdev); 182 continue; 183 } 184 + if (wdev->conn->params.bssid) { 185 + memcpy(bssid_buf, wdev->conn->params.bssid, ETH_ALEN); 186 + bssid = bssid_buf; 187 + } 188 if (cfg80211_conn_do_work(wdev)) 189 __cfg80211_connect_result( 190 wdev->netdev, bssid,