Johannes,
On Thu, Oct 7, 2010 at 3:54 PM, Johannes Berg <johannes@xxxxxxxxxxxxxxxx> wrote:
>> Javier and I reviewed the patch and it definitely fixes a potential
>> problem and is correct. Furthermore, applied to wireless-testing
>> head, it passes all of our cases in our test bed.
>>
>> I think it's good to go.
>
> Err, are you positive? I think the code there is correct, apart from the
> fact that it does no validation of
> mgmt->u.action.u.plink_action.action_code whatsoever which may allow all
> kinds of abuse :)
>
> The only action that's valid w/o having a station entry for the peer is
> PLINK_OPEN, which makes perfect sense.
We believe Christian's second patch fixes a null-pointer de-reference
that would be triggered by a PLINK_OPEN frame with
mismatching/incompatible mesh configuration. Let's analyze that case:
void mesh_rx_plink_frame(...)
(...)
sta = sta_info_get(sdata, mgmt->sa); <-- will return null
if (!sta && ftype != PLINK_OPEN) { <-- false for PLINK_OPEN frames
(...)
if (ftype != PLINK_CLOSE && (!mesh_matches_local(&elems, sdata))) {
<-- true for PLINK_OPEN, non-compatible mesh config
(...)
spin_lock_bh(&sta->lock); <-- boom!
The patch not only solves this problem, but also responds correctly to
non-compatible PLINK_OPEN frames by generating a PLINK_CLOSE with the
right reason code.
Cheers,
Javier
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
