Search Linux Wireless

[PATCH wireless-2.6] mac80211: fix use-after-free

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

From: Johannes Berg <johannes.berg@xxxxxxxxx>

commit 8c0c709eea5cbab97fb464cd68b06f24acc58ee1
Author: Johannes Berg <johannes@xxxxxxxxxxxxxxxx>
Date:   Wed Nov 25 17:46:15 2009 +0100

    mac80211: move cmntr flag out of rx flags

moved the CMTR flag into the skb's status, and
in doing so introduced a use-after-free -- when
the skb has been handed to cooked monitors the
status setting will touch now invalid memory.

Additionally, moving it there has effectively
discarded the optimisation -- since the bit is
only ever set on freed SKBs, and those were a
copy, it could never be checked.

For the current release, fixing this properly
is a bit too involved, so let's just remove the
problematic code and leave userspace with one
copy of each frame for each virtual interface.

Cc: stable@xxxxxxxxxx [2.6.33+]
Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
---
NOTE: John, you either need to put this into wireless-2.6
      and then merge that into wireless-next-2.6 and revert
      this patch before applying my other patchset, or there
      will be merge issues (which should be fairly simple,
      but I haven't tried) when you later merge wireless-2.6
      into wireless-next-2.6 or this happens in linux-next.

 net/mac80211/rx.c |    4 ----
 1 file changed, 4 deletions(-)

--- iwlwifi-jo.orig/net/mac80211/rx.c	2010-09-24 11:13:33.000000000 +0200
+++ iwlwifi-jo/net/mac80211/rx.c	2010-09-24 11:14:28.000000000 +0200
@@ -2199,9 +2199,6 @@ static void ieee80211_rx_cooked_monitor(
 	struct net_device *prev_dev = NULL;
 	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
 
-	if (status->flag & RX_FLAG_INTERNAL_CMTR)
-		goto out_free_skb;
-
 	if (skb_headroom(skb) < sizeof(*rthdr) &&
 	    pskb_expand_head(skb, sizeof(*rthdr), 0, GFP_ATOMIC))
 		goto out_free_skb;
@@ -2260,7 +2257,6 @@ static void ieee80211_rx_cooked_monitor(
 	} else
 		goto out_free_skb;
 
-	status->flag |= RX_FLAG_INTERNAL_CMTR;
 	return;
 
  out_free_skb:


--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Host AP]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Linux Kernel]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux