summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authornbd <nbd@3c298f89-4303-0410-b956-a3cf2f4a3e73>2010-01-24 23:39:00 +0000
committernbd <nbd@3c298f89-4303-0410-b956-a3cf2f4a3e73>2010-01-24 23:39:00 +0000
commitc941f1cfbc302cfd6741959f0e1e4dcbe289704c (patch)
tree8178c6961d24310356875e5880d58d72f157e2b5
parentde12d253e8163322f7e71bed07a908dc942114e4 (diff)
madwifi: fix some potential null pointer derefs with wds
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@19322 3c298f89-4303-0410-b956-a3cf2f4a3e73
-rw-r--r--package/madwifi/patches/370-wdsvap.patch8
-rw-r--r--package/madwifi/patches/387-maxassoc.patch2
-rw-r--r--package/madwifi/patches/390-frame_type.patch2
-rw-r--r--package/madwifi/patches/393-mbss_vap_auth.patch4
-rw-r--r--package/madwifi/patches/394-probereq.patch2
-rw-r--r--package/madwifi/patches/441-fix_ibss_node_handling.patch6
-rw-r--r--package/madwifi/patches/451-ibss_race_fix.patch8
7 files changed, 17 insertions, 15 deletions
diff --git a/package/madwifi/patches/370-wdsvap.patch b/package/madwifi/patches/370-wdsvap.patch
index 9da13a6c5c..e507afb25d 100644
--- a/package/madwifi/patches/370-wdsvap.patch
+++ b/package/madwifi/patches/370-wdsvap.patch
@@ -794,7 +794,7 @@
vap->iv_stats.is_rx_mgtdiscard++;
return;
}
-@@ -3471,13 +3519,54 @@ ieee80211_recv_mgmt(struct ieee80211vap
+@@ -3471,13 +3519,56 @@ ieee80211_recv_mgmt(struct ieee80211vap
*/
if (ic->ic_flags & IEEE80211_F_SCAN) {
ieee80211_add_scan(vap, &scan, wh, subtype, rssi, rtsf);
@@ -822,13 +822,15 @@
+ if (!memcmp(avp->wds_mac, wh->i_addr2, IEEE80211_ADDR_LEN)) {
+ if (avp->iv_state != IEEE80211_S_RUN)
+ continue;
++ if (!avp->iv_wdsnode)
++ continue;
+ found = 1;
+ break;
+ }
+ }
+ if (found)
+ ni = ni_or_null = avp->iv_wdsnode;
-+ } else if (vap->iv_opmode == IEEE80211_M_WDS) {
++ } else if ((vap->iv_opmode == IEEE80211_M_WDS) && vap->iv_wdsnode) {
+ found = 1;
+ ni = ni_or_null = vap->iv_wdsnode;
+ }
@@ -854,7 +856,7 @@
} else {
/*
* Copy data from beacon to neighbor table.
-@@ -3490,6 +3579,7 @@ ieee80211_recv_mgmt(struct ieee80211vap
+@@ -3490,6 +3581,7 @@ ieee80211_recv_mgmt(struct ieee80211vap
IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3);
memcpy(ni->ni_tstamp.data, scan.tstamp,
sizeof(ni->ni_tstamp));
diff --git a/package/madwifi/patches/387-maxassoc.patch b/package/madwifi/patches/387-maxassoc.patch
index d74419bdb0..df2b7fd1f2 100644
--- a/package/madwifi/patches/387-maxassoc.patch
+++ b/package/madwifi/patches/387-maxassoc.patch
@@ -56,7 +56,7 @@
/*
--- a/net80211/ieee80211_input.c
+++ b/net80211/ieee80211_input.c
-@@ -4018,7 +4018,26 @@ ieee80211_recv_mgmt(struct ieee80211vap
+@@ -4020,7 +4020,26 @@ ieee80211_recv_mgmt(struct ieee80211vap
vap->iv_stats.is_rx_assoc_norate++;
return;
}
diff --git a/package/madwifi/patches/390-frame_type.patch b/package/madwifi/patches/390-frame_type.patch
index caad49c3d3..0987f7c5df 100644
--- a/package/madwifi/patches/390-frame_type.patch
+++ b/package/madwifi/patches/390-frame_type.patch
@@ -1,6 +1,6 @@
--- a/net80211/ieee80211_input.c
+++ b/net80211/ieee80211_input.c
-@@ -4441,7 +4441,9 @@ ath_eth_type_trans(struct sk_buff *skb,
+@@ -4443,7 +4443,9 @@ ath_eth_type_trans(struct sk_buff *skb,
if (memcmp(eth->h_dest, dev->dev_addr, ETH_ALEN))
skb->pkt_type = PACKET_OTHERHOST;
diff --git a/package/madwifi/patches/393-mbss_vap_auth.patch b/package/madwifi/patches/393-mbss_vap_auth.patch
index 71e11fa39a..0e3ecaf69f 100644
--- a/package/madwifi/patches/393-mbss_vap_auth.patch
+++ b/package/madwifi/patches/393-mbss_vap_auth.patch
@@ -327,7 +327,7 @@
int found = 0;
IEEE80211_LOCK_IRQ(vap->iv_ic);
-@@ -3551,10 +3561,12 @@ ieee80211_recv_mgmt(struct ieee80211vap
+@@ -3553,10 +3563,12 @@ ieee80211_recv_mgmt(struct ieee80211vap
ni->ni_associd |= 0xc000;
avp->iv_wdsnode = ieee80211_ref_node(ni);
IEEE80211_UNLOCK_IRQ(ic);
@@ -341,7 +341,7 @@
} else {
/*
* Copy data from beacon to neighbor table.
-@@ -3593,6 +3605,8 @@ ieee80211_recv_mgmt(struct ieee80211vap
+@@ -3595,6 +3607,8 @@ ieee80211_recv_mgmt(struct ieee80211vap
ni->ni_rssi = rssi;
ni->ni_rtsf = rtsf;
ni->ni_last_rx = jiffies;
diff --git a/package/madwifi/patches/394-probereq.patch b/package/madwifi/patches/394-probereq.patch
index becd4c99f5..c754bfa9f0 100644
--- a/package/madwifi/patches/394-probereq.patch
+++ b/package/madwifi/patches/394-probereq.patch
@@ -1,6 +1,6 @@
--- a/net80211/ieee80211_input.c
+++ b/net80211/ieee80211_input.c
-@@ -3619,6 +3619,8 @@ ieee80211_recv_mgmt(struct ieee80211vap
+@@ -3621,6 +3621,8 @@ ieee80211_recv_mgmt(struct ieee80211vap
vap->iv_stats.is_rx_mgtdiscard++;
return;
}
diff --git a/package/madwifi/patches/441-fix_ibss_node_handling.patch b/package/madwifi/patches/441-fix_ibss_node_handling.patch
index b12cf6797d..b12930fbdf 100644
--- a/package/madwifi/patches/441-fix_ibss_node_handling.patch
+++ b/package/madwifi/patches/441-fix_ibss_node_handling.patch
@@ -44,8 +44,8 @@
if (dir != IEEE80211_FC1_DIR_NODS) {
IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
wh, "data", "invalid dir 0x%x", dir);
-@@ -3556,6 +3561,11 @@ ieee80211_recv_mgmt(struct ieee80211vap
- } else if (vap->iv_opmode == IEEE80211_M_WDS) {
+@@ -3558,6 +3563,11 @@ ieee80211_recv_mgmt(struct ieee80211vap
+ } else if ((vap->iv_opmode == IEEE80211_M_WDS) && vap->iv_wdsnode) {
found = 1;
ni = ni_or_null = vap->iv_wdsnode;
+ } else if (vap->iv_opmode == IEEE80211_M_IBSS) {
@@ -56,7 +56,7 @@
}
IEEE80211_UNLOCK_IRQ(vap->iv_ic);
-@@ -3684,19 +3694,8 @@ ieee80211_recv_mgmt(struct ieee80211vap
+@@ -3686,19 +3696,8 @@ ieee80211_recv_mgmt(struct ieee80211vap
vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/
return;
}
diff --git a/package/madwifi/patches/451-ibss_race_fix.patch b/package/madwifi/patches/451-ibss_race_fix.patch
index d25d3cc88f..8349b318f2 100644
--- a/package/madwifi/patches/451-ibss_race_fix.patch
+++ b/package/madwifi/patches/451-ibss_race_fix.patch
@@ -53,13 +53,13 @@
int found = 0;
IEEE80211_LOCK_IRQ(vap->iv_ic);
-@@ -3568,14 +3561,12 @@ ieee80211_recv_mgmt(struct ieee80211vap
+@@ -3570,14 +3563,12 @@ ieee80211_recv_mgmt(struct ieee80211vap
}
}
if (found)
- ni = ni_or_null = avp->iv_wdsnode;
+ tni = ieee80211_ref_node(avp->iv_wdsnode);
- } else if (vap->iv_opmode == IEEE80211_M_WDS) {
+ } else if ((vap->iv_opmode == IEEE80211_M_WDS) && vap->iv_wdsnode) {
found = 1;
- ni = ni_or_null = vap->iv_wdsnode;
- } else if (vap->iv_opmode == IEEE80211_M_IBSS) {
@@ -72,7 +72,7 @@
found = 1;
}
IEEE80211_UNLOCK_IRQ(vap->iv_ic);
-@@ -3583,20 +3574,21 @@ ieee80211_recv_mgmt(struct ieee80211vap
+@@ -3585,20 +3576,21 @@ ieee80211_recv_mgmt(struct ieee80211vap
if (!found)
break;
@@ -100,7 +100,7 @@
} else {
/*
* Copy data from beacon to neighbor table.
-@@ -3604,39 +3596,38 @@ ieee80211_recv_mgmt(struct ieee80211vap
+@@ -3606,39 +3598,38 @@ ieee80211_recv_mgmt(struct ieee80211vap
* ieee80211_add_neighbor(), so we just copy
* everything over to be safe.
*/