Re: [PATCHv5] mac80211: fix NULL pointer dereference in ieee80211_compatible_rates

Johannes Berg <johannes@xxxxxxxxxxxxxxxx> · Tue, 20 May 2008 14:57:31 +0200

On Tue, 2008-05-20 at 15:54 +0300, Tomas Winkler wrote:
> On Tue, May 20, 2008 at 10:56 AM, Helmut Schaa <hschaa@xxxxxxx> wrote:
> > Fix a possible NULL pointer dereference in ieee80211_compatible_rates
> > introduced in the patch "mac80211: fix association with some APs". If no bss
> > is available just use all supported rates in the association request.
> >
> > Signed-off-by: Helmut Schaa <hschaa@xxxxxxx>
> > ---
> >
> > diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
> > index 76ad4ed..3f7f92a 100644
> > --- a/net/mac80211/mlme.c
> > +++ b/net/mac80211/mlme.c
> > @@ -721,7 +721,17 @@ static void ieee80211_send_assoc(struct net_device
> > *dev,
> >                        capab |= WLAN_CAPABILITY_PRIVACY;
> >                if (bss->wmm_ie)
> >                        wmm = 1;
> > +
> > +               /* get all rates supported by the device and the AP as
> > +                * some APs don't like getting a superset of their rates
> > +                * in the association request (e.g. D-Link DAP 1353 in
> > +                * b-only mode) */
> > +               rates_len = ieee80211_compatible_rates(bss, sband, &rates);
> > +
> >                ieee80211_rx_bss_put(dev, bss);
> > +       } else {
> > +               rates = ~0;
> > +               rates_len = sband->n_bitrates;
> >        }
> >
> >        mgmt = (struct ieee80211_mgmt *) skb_put(skb, 24);
> > @@ -752,10 +762,7 @@ static void ieee80211_send_assoc(struct net_device
> > *dev,
> >        *pos++ = ifsta->ssid_len;
> >        memcpy(pos, ifsta->ssid, ifsta->ssid_len);
> >
> > -       /* all supported rates should be added here but some APs
> > -        * (e.g. D-Link DAP 1353 in b-only mode) don't like that
> > -        * Therefore only add rates the AP supports */
> > -       rates_len = ieee80211_compatible_rates(bss, sband, &rates);
> > +       /* add all rates which were marked to be used above */
> >        supp_rates_len = rates_len;
> >        if (supp_rates_len > 8)
> >                supp_rates_len = 8;
> >
> >
> 
> I found one  ieee80211_rx_bss_{get,put} imbalance   in
> ieee80211_sta_join_ibss function
> That may cause this problem yet it doesn't look like this is the case.
> ieee80211_sta_join_ibss
> calls ieee80211_rx_bss_put on 'bss' that it receives as an argument
> Keep searching.

Hm. Send a patch? :)

> I suggest to insert at least some WARN_ON(1) for the else case.

Disagree, not until somebody audits the code. We already know it can
happen and a WARN() won't help us track it down because it provides no
additional information (stack trace is useless)

johannes
Attachment:
signature.asc

Description: This is a digitally signed message part