dev_open will eventually call ieee80211_ibss_join which sets up the skb used for beacons/probe-responses however it is possible to receive beacons that attempt to merge before this occurs causing a null pointer dereference. Check ssid_len as that is the last thing set in ieee80211_ibss_join. This occurs quite easily in the presence of adhoc nodes with hidden SSID's Signed-off-by: Tim Harvey <harvey.tim@xxxxxxxxx> --- net/mac80211/ibss.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c index 410d104..93926c0 100644 --- a/net/mac80211/ibss.c +++ b/net/mac80211/ibss.c @@ -85,6 +85,8 @@ static void __ieee80211_sta_join_ibss(struct ieee80211_sub_if_data *sdata, /* Reset own TSF to allow time synchronization work. */ drv_reset_tsf(local); + if (!ifibss->ssid_len) + return; /* not ready to merge yet */ skb = ifibss->skb; rcu_assign_pointer(ifibss->presp, NULL); synchronize_rcu(); -- 1.7.0.4 -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
