On Thu, 2010-12-09 at 10:43 -0800, Tim Harvey wrote:
> dev_open will eventually call ieee80211_ibss_join which sets up the
> skb used for beacons/probe-responses however it is possible to
> receive beacons that attempt to merge before this occurs causing
> a null pointer dereference. Check ssid_len as that is the last
> thing set in ieee80211_ibss_join.
>
> This occurs quite easily in the presence of adhoc nodes with hidden SSID's
>
> revised previous patch to check further up based on irc feedback
>
> Signed-off-by: Tim Harvey <harvey.tim@xxxxxxxxx>
This seems sensible. I wonder if we should be doing a similar thing for
mesh/station modes...
Reviewed-by: Johannes Berg <johannes@xxxxxxxxxxxxxxxx>
> ---
> net/mac80211/ibss.c | 4 ++++
> 1 files changed, 4 insertions(+), 0 deletions(-)
>
> diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
> index 410d104..53c7077 100644
> --- a/net/mac80211/ibss.c
> +++ b/net/mac80211/ibss.c
> @@ -780,6 +780,9 @@ void ieee80211_ibss_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
>
> mutex_lock(&sdata->u.ibss.mtx);
>
> + if (!sdata->u.ibss.ssid_len)
> + goto mgmt_out; /* not ready to merge yet */
> +
> switch (fc & IEEE80211_FCTL_STYPE) {
> case IEEE80211_STYPE_PROBE_REQ:
> ieee80211_rx_mgmt_probe_req(sdata, mgmt, skb->len);
> @@ -797,6 +800,7 @@ void ieee80211_ibss_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
> break;
> }
>
> + mgmt_out:
> mutex_unlock(&sdata->u.ibss.mtx);
> }
>
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
