madwifi: fix some potential null pointer derefs with wds
SVN-Revision: 19322
This commit is contained in:
Felix Fietkau
parent
6351d88e29
commit
e85f50118c
7 changed files with 17 additions and 15 deletions
|
|
@ -794,7 +794,7 @@
|
||||||
vap->iv_stats.is_rx_mgtdiscard++;
|
vap->iv_stats.is_rx_mgtdiscard++;
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
@@ -3471,13 +3519,54 @@ ieee80211_recv_mgmt(struct ieee80211vap
|
@@ -3471,13 +3519,56 @@ ieee80211_recv_mgmt(struct ieee80211vap
|
||||||
*/
|
*/
|
||||||
if (ic->ic_flags & IEEE80211_F_SCAN) {
|
if (ic->ic_flags & IEEE80211_F_SCAN) {
|
||||||
ieee80211_add_scan(vap, &scan, wh, subtype, rssi, rtsf);
|
ieee80211_add_scan(vap, &scan, wh, subtype, rssi, rtsf);
|
||||||
|
|
@ -822,13 +822,15 @@
|
||||||
+ if (!memcmp(avp->wds_mac, wh->i_addr2, IEEE80211_ADDR_LEN)) {
|
+ if (!memcmp(avp->wds_mac, wh->i_addr2, IEEE80211_ADDR_LEN)) {
|
||||||
+ if (avp->iv_state != IEEE80211_S_RUN)
|
+ if (avp->iv_state != IEEE80211_S_RUN)
|
||||||
+ continue;
|
+ continue;
|
||||||
|
+ if (!avp->iv_wdsnode)
|
||||||
|
+ continue;
|
||||||
+ found = 1;
|
+ found = 1;
|
||||||
+ break;
|
+ break;
|
||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+ if (found)
|
+ if (found)
|
||||||
+ ni = ni_or_null = avp->iv_wdsnode;
|
+ ni = ni_or_null = avp->iv_wdsnode;
|
||||||
+ } else if (vap->iv_opmode == IEEE80211_M_WDS) {
|
+ } else if ((vap->iv_opmode == IEEE80211_M_WDS) && vap->iv_wdsnode) {
|
||||||
+ found = 1;
|
+ found = 1;
|
||||||
+ ni = ni_or_null = vap->iv_wdsnode;
|
+ ni = ni_or_null = vap->iv_wdsnode;
|
||||||
+ }
|
+ }
|
||||||
|
|
@ -854,7 +856,7 @@
|
||||||
} else {
|
} else {
|
||||||
/*
|
/*
|
||||||
* Copy data from beacon to neighbor table.
|
* Copy data from beacon to neighbor table.
|
||||||
@@ -3490,6 +3579,7 @@ ieee80211_recv_mgmt(struct ieee80211vap
|
@@ -3490,6 +3581,7 @@ ieee80211_recv_mgmt(struct ieee80211vap
|
||||||
IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3);
|
IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3);
|
||||||
memcpy(ni->ni_tstamp.data, scan.tstamp,
|
memcpy(ni->ni_tstamp.data, scan.tstamp,
|
||||||
sizeof(ni->ni_tstamp));
|
sizeof(ni->ni_tstamp));
|
||||||
|
|
|
||||||
|
|
@ -56,7 +56,7 @@
|
||||||
/*
|
/*
|
||||||
--- a/net80211/ieee80211_input.c
|
--- a/net80211/ieee80211_input.c
|
||||||
+++ b/net80211/ieee80211_input.c
|
+++ b/net80211/ieee80211_input.c
|
||||||
@@ -4018,7 +4018,26 @@ ieee80211_recv_mgmt(struct ieee80211vap
|
@@ -4020,7 +4020,26 @@ ieee80211_recv_mgmt(struct ieee80211vap
|
||||||
vap->iv_stats.is_rx_assoc_norate++;
|
vap->iv_stats.is_rx_assoc_norate++;
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
--- a/net80211/ieee80211_input.c
|
--- a/net80211/ieee80211_input.c
|
||||||
+++ b/net80211/ieee80211_input.c
|
+++ b/net80211/ieee80211_input.c
|
||||||
@@ -4441,7 +4441,9 @@ ath_eth_type_trans(struct sk_buff *skb,
|
@@ -4443,7 +4443,9 @@ ath_eth_type_trans(struct sk_buff *skb,
|
||||||
if (memcmp(eth->h_dest, dev->dev_addr, ETH_ALEN))
|
if (memcmp(eth->h_dest, dev->dev_addr, ETH_ALEN))
|
||||||
skb->pkt_type = PACKET_OTHERHOST;
|
skb->pkt_type = PACKET_OTHERHOST;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -327,7 +327,7 @@
|
||||||
int found = 0;
|
int found = 0;
|
||||||
|
|
||||||
IEEE80211_LOCK_IRQ(vap->iv_ic);
|
IEEE80211_LOCK_IRQ(vap->iv_ic);
|
||||||
@@ -3551,10 +3561,12 @@ ieee80211_recv_mgmt(struct ieee80211vap
|
@@ -3553,10 +3563,12 @@ ieee80211_recv_mgmt(struct ieee80211vap
|
||||||
ni->ni_associd |= 0xc000;
|
ni->ni_associd |= 0xc000;
|
||||||
avp->iv_wdsnode = ieee80211_ref_node(ni);
|
avp->iv_wdsnode = ieee80211_ref_node(ni);
|
||||||
IEEE80211_UNLOCK_IRQ(ic);
|
IEEE80211_UNLOCK_IRQ(ic);
|
||||||
|
|
@ -341,7 +341,7 @@
|
||||||
} else {
|
} else {
|
||||||
/*
|
/*
|
||||||
* Copy data from beacon to neighbor table.
|
* Copy data from beacon to neighbor table.
|
||||||
@@ -3593,6 +3605,8 @@ ieee80211_recv_mgmt(struct ieee80211vap
|
@@ -3595,6 +3607,8 @@ ieee80211_recv_mgmt(struct ieee80211vap
|
||||||
ni->ni_rssi = rssi;
|
ni->ni_rssi = rssi;
|
||||||
ni->ni_rtsf = rtsf;
|
ni->ni_rtsf = rtsf;
|
||||||
ni->ni_last_rx = jiffies;
|
ni->ni_last_rx = jiffies;
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
--- a/net80211/ieee80211_input.c
|
--- a/net80211/ieee80211_input.c
|
||||||
+++ b/net80211/ieee80211_input.c
|
+++ b/net80211/ieee80211_input.c
|
||||||
@@ -3619,6 +3619,8 @@ ieee80211_recv_mgmt(struct ieee80211vap
|
@@ -3621,6 +3621,8 @@ ieee80211_recv_mgmt(struct ieee80211vap
|
||||||
vap->iv_stats.is_rx_mgtdiscard++;
|
vap->iv_stats.is_rx_mgtdiscard++;
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -44,8 +44,8 @@
|
||||||
if (dir != IEEE80211_FC1_DIR_NODS) {
|
if (dir != IEEE80211_FC1_DIR_NODS) {
|
||||||
IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
|
IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
|
||||||
wh, "data", "invalid dir 0x%x", dir);
|
wh, "data", "invalid dir 0x%x", dir);
|
||||||
@@ -3556,6 +3561,11 @@ ieee80211_recv_mgmt(struct ieee80211vap
|
@@ -3558,6 +3563,11 @@ ieee80211_recv_mgmt(struct ieee80211vap
|
||||||
} else if (vap->iv_opmode == IEEE80211_M_WDS) {
|
} else if ((vap->iv_opmode == IEEE80211_M_WDS) && vap->iv_wdsnode) {
|
||||||
found = 1;
|
found = 1;
|
||||||
ni = ni_or_null = vap->iv_wdsnode;
|
ni = ni_or_null = vap->iv_wdsnode;
|
||||||
+ } else if (vap->iv_opmode == IEEE80211_M_IBSS) {
|
+ } else if (vap->iv_opmode == IEEE80211_M_IBSS) {
|
||||||
|
|
@ -56,7 +56,7 @@
|
||||||
}
|
}
|
||||||
IEEE80211_UNLOCK_IRQ(vap->iv_ic);
|
IEEE80211_UNLOCK_IRQ(vap->iv_ic);
|
||||||
|
|
||||||
@@ -3684,19 +3694,8 @@ ieee80211_recv_mgmt(struct ieee80211vap
|
@@ -3686,19 +3696,8 @@ ieee80211_recv_mgmt(struct ieee80211vap
|
||||||
vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/
|
vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -53,13 +53,13 @@
|
||||||
int found = 0;
|
int found = 0;
|
||||||
|
|
||||||
IEEE80211_LOCK_IRQ(vap->iv_ic);
|
IEEE80211_LOCK_IRQ(vap->iv_ic);
|
||||||
@@ -3568,14 +3561,12 @@ ieee80211_recv_mgmt(struct ieee80211vap
|
@@ -3570,14 +3563,12 @@ ieee80211_recv_mgmt(struct ieee80211vap
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (found)
|
if (found)
|
||||||
- ni = ni_or_null = avp->iv_wdsnode;
|
- ni = ni_or_null = avp->iv_wdsnode;
|
||||||
+ tni = ieee80211_ref_node(avp->iv_wdsnode);
|
+ tni = ieee80211_ref_node(avp->iv_wdsnode);
|
||||||
} else if (vap->iv_opmode == IEEE80211_M_WDS) {
|
} else if ((vap->iv_opmode == IEEE80211_M_WDS) && vap->iv_wdsnode) {
|
||||||
found = 1;
|
found = 1;
|
||||||
- ni = ni_or_null = vap->iv_wdsnode;
|
- ni = ni_or_null = vap->iv_wdsnode;
|
||||||
- } else if (vap->iv_opmode == IEEE80211_M_IBSS) {
|
- } else if (vap->iv_opmode == IEEE80211_M_IBSS) {
|
||||||
|
|
@ -72,7 +72,7 @@
|
||||||
found = 1;
|
found = 1;
|
||||||
}
|
}
|
||||||
IEEE80211_UNLOCK_IRQ(vap->iv_ic);
|
IEEE80211_UNLOCK_IRQ(vap->iv_ic);
|
||||||
@@ -3583,20 +3574,21 @@ ieee80211_recv_mgmt(struct ieee80211vap
|
@@ -3585,20 +3576,21 @@ ieee80211_recv_mgmt(struct ieee80211vap
|
||||||
if (!found)
|
if (!found)
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
|
@ -100,7 +100,7 @@
|
||||||
} else {
|
} else {
|
||||||
/*
|
/*
|
||||||
* Copy data from beacon to neighbor table.
|
* Copy data from beacon to neighbor table.
|
||||||
@@ -3604,39 +3596,38 @@ ieee80211_recv_mgmt(struct ieee80211vap
|
@@ -3606,39 +3598,38 @@ ieee80211_recv_mgmt(struct ieee80211vap
|
||||||
* ieee80211_add_neighbor(), so we just copy
|
* ieee80211_add_neighbor(), so we just copy
|
||||||
* everything over to be safe.
|
* everything over to be safe.
|
||||||
*/
|
*/
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue