On Fri, 2010-10-08 at 10:56 -0700, Javier Cardona wrote:
> We believe Christian's second patch fixes a null-pointer de-reference
> that would be triggered by a PLINK_OPEN frame with
> mismatching/incompatible mesh configuration. Let's analyze that case:
>
> void mesh_rx_plink_frame(...)
> (...)
> sta = sta_info_get(sdata, mgmt->sa); <-- will return null
> if (!sta && ftype != PLINK_OPEN) { <-- false for PLINK_OPEN frames
> (...)
> if (ftype != PLINK_CLOSE && (!mesh_matches_local(&elems, sdata))) {
> <-- true for PLINK_OPEN, non-compatible mesh config
> (...)
> spin_lock_bh(&sta->lock); <-- boom!
Good point. I glossed over the part here and just looked at the else
branch with !sta.
> The patch not only solves this problem, but also responds correctly to
> non-compatible PLINK_OPEN frames by generating a PLINK_CLOSE with the
> right reason code.
But then you can't ever actually properly process a *matching*
PLINK_OPEN frame, afaict, because those definitely do have
"!sta && ftype == PLINK_OPEN"
which is how the "if (!sta && ftype != PLINK_OPEN) return" came about,
afaict.
So I still don't think it's quite correct to fix it this way.
johannes
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
