dev_open will eventually call ieee80211_ibss_join which sets up the skb used for beacons/probe-responses however it is possible to receive beacons that attempt to merge before this occurs causing a null pointer dereference. This occurs quite easily in the presence of adhoc nodes with hidden SSID's --- net/mac80211/ibss.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c index 410d104..24e2482 100644 --- a/net/mac80211/ibss.c +++ b/net/mac80211/ibss.c @@ -86,6 +86,8 @@ static void __ieee80211_sta_join_ibss(struct ieee80211_sub_if_data *sdata, drv_reset_tsf(local); skb = ifibss->skb; + if (!skb) + return; /* not ready to merge yet */ rcu_assign_pointer(ifibss->presp, NULL); synchronize_rcu(); skb->data = skb->head; -- 1.7.0.4 -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
