From e85f50118cb48d03bf3c83e559f3fb815d11ce7b Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Sun, 24 Jan 2010 23:39:00 +0000 Subject: [PATCH] madwifi: fix some potential null pointer derefs with wds SVN-Revision: 19322 --- package/madwifi/patches/370-wdsvap.patch | 8 +++++--- package/madwifi/patches/387-maxassoc.patch | 2 +- package/madwifi/patches/390-frame_type.patch | 2 +- package/madwifi/patches/393-mbss_vap_auth.patch | 4 ++-- package/madwifi/patches/394-probereq.patch | 2 +- package/madwifi/patches/441-fix_ibss_node_handling.patch | 6 +++--- package/madwifi/patches/451-ibss_race_fix.patch | 8 ++++---- 7 files changed, 17 insertions(+), 15 deletions(-) diff --git a/package/madwifi/patches/370-wdsvap.patch b/package/madwifi/patches/370-wdsvap.patch index 9da13a6c5c..e507afb25d 100644 --- a/package/madwifi/patches/370-wdsvap.patch +++ b/package/madwifi/patches/370-wdsvap.patch @@ -794,7 +794,7 @@ vap->iv_stats.is_rx_mgtdiscard++; return; } -@@ -3471,13 +3519,54 @@ ieee80211_recv_mgmt(struct ieee80211vap +@@ -3471,13 +3519,56 @@ ieee80211_recv_mgmt(struct ieee80211vap */ if (ic->ic_flags & IEEE80211_F_SCAN) { ieee80211_add_scan(vap, &scan, wh, subtype, rssi, rtsf); @@ -822,13 +822,15 @@ + if (!memcmp(avp->wds_mac, wh->i_addr2, IEEE80211_ADDR_LEN)) { + if (avp->iv_state != IEEE80211_S_RUN) + continue; ++ if (!avp->iv_wdsnode) ++ continue; + found = 1; + break; + } + } + if (found) + ni = ni_or_null = avp->iv_wdsnode; -+ } else if (vap->iv_opmode == IEEE80211_M_WDS) { ++ } else if ((vap->iv_opmode == IEEE80211_M_WDS) && vap->iv_wdsnode) { + found = 1; + ni = ni_or_null = vap->iv_wdsnode; + } @@ -854,7 +856,7 @@ } else { /* * Copy data from beacon to neighbor table. -@@ -3490,6 +3579,7 @@ ieee80211_recv_mgmt(struct ieee80211vap +@@ -3490,6 +3581,7 @@ ieee80211_recv_mgmt(struct ieee80211vap IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3); memcpy(ni->ni_tstamp.data, scan.tstamp, sizeof(ni->ni_tstamp)); diff --git a/package/madwifi/patches/387-maxassoc.patch b/package/madwifi/patches/387-maxassoc.patch index d74419bdb0..df2b7fd1f2 100644 --- a/package/madwifi/patches/387-maxassoc.patch +++ b/package/madwifi/patches/387-maxassoc.patch @@ -56,7 +56,7 @@ /* --- a/net80211/ieee80211_input.c +++ b/net80211/ieee80211_input.c -@@ -4018,7 +4018,26 @@ ieee80211_recv_mgmt(struct ieee80211vap +@@ -4020,7 +4020,26 @@ ieee80211_recv_mgmt(struct ieee80211vap vap->iv_stats.is_rx_assoc_norate++; return; } diff --git a/package/madwifi/patches/390-frame_type.patch b/package/madwifi/patches/390-frame_type.patch index caad49c3d3..0987f7c5df 100644 --- a/package/madwifi/patches/390-frame_type.patch +++ b/package/madwifi/patches/390-frame_type.patch @@ -1,6 +1,6 @@ --- a/net80211/ieee80211_input.c +++ b/net80211/ieee80211_input.c -@@ -4441,7 +4441,9 @@ ath_eth_type_trans(struct sk_buff *skb, +@@ -4443,7 +4443,9 @@ ath_eth_type_trans(struct sk_buff *skb, if (memcmp(eth->h_dest, dev->dev_addr, ETH_ALEN)) skb->pkt_type = PACKET_OTHERHOST; diff --git a/package/madwifi/patches/393-mbss_vap_auth.patch b/package/madwifi/patches/393-mbss_vap_auth.patch index 71e11fa39a..0e3ecaf69f 100644 --- a/package/madwifi/patches/393-mbss_vap_auth.patch +++ b/package/madwifi/patches/393-mbss_vap_auth.patch @@ -327,7 +327,7 @@ int found = 0; IEEE80211_LOCK_IRQ(vap->iv_ic); -@@ -3551,10 +3561,12 @@ ieee80211_recv_mgmt(struct ieee80211vap +@@ -3553,10 +3563,12 @@ ieee80211_recv_mgmt(struct ieee80211vap ni->ni_associd |= 0xc000; avp->iv_wdsnode = ieee80211_ref_node(ni); IEEE80211_UNLOCK_IRQ(ic); @@ -341,7 +341,7 @@ } else { /* * Copy data from beacon to neighbor table. -@@ -3593,6 +3605,8 @@ ieee80211_recv_mgmt(struct ieee80211vap +@@ -3595,6 +3607,8 @@ ieee80211_recv_mgmt(struct ieee80211vap ni->ni_rssi = rssi; ni->ni_rtsf = rtsf; ni->ni_last_rx = jiffies; diff --git a/package/madwifi/patches/394-probereq.patch b/package/madwifi/patches/394-probereq.patch index becd4c99f5..c754bfa9f0 100644 --- a/package/madwifi/patches/394-probereq.patch +++ b/package/madwifi/patches/394-probereq.patch @@ -1,6 +1,6 @@ --- a/net80211/ieee80211_input.c +++ b/net80211/ieee80211_input.c -@@ -3619,6 +3619,8 @@ ieee80211_recv_mgmt(struct ieee80211vap +@@ -3621,6 +3621,8 @@ ieee80211_recv_mgmt(struct ieee80211vap vap->iv_stats.is_rx_mgtdiscard++; return; } diff --git a/package/madwifi/patches/441-fix_ibss_node_handling.patch b/package/madwifi/patches/441-fix_ibss_node_handling.patch index b12cf6797d..b12930fbdf 100644 --- a/package/madwifi/patches/441-fix_ibss_node_handling.patch +++ b/package/madwifi/patches/441-fix_ibss_node_handling.patch @@ -44,8 +44,8 @@ if (dir != IEEE80211_FC1_DIR_NODS) { IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, wh, "data", "invalid dir 0x%x", dir); -@@ -3556,6 +3561,11 @@ ieee80211_recv_mgmt(struct ieee80211vap - } else if (vap->iv_opmode == IEEE80211_M_WDS) { +@@ -3558,6 +3563,11 @@ ieee80211_recv_mgmt(struct ieee80211vap + } else if ((vap->iv_opmode == IEEE80211_M_WDS) && vap->iv_wdsnode) { found = 1; ni = ni_or_null = vap->iv_wdsnode; + } else if (vap->iv_opmode == IEEE80211_M_IBSS) { @@ -56,7 +56,7 @@ } IEEE80211_UNLOCK_IRQ(vap->iv_ic); -@@ -3684,19 +3694,8 @@ ieee80211_recv_mgmt(struct ieee80211vap +@@ -3686,19 +3696,8 @@ ieee80211_recv_mgmt(struct ieee80211vap vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/ return; } diff --git a/package/madwifi/patches/451-ibss_race_fix.patch b/package/madwifi/patches/451-ibss_race_fix.patch index d25d3cc88f..8349b318f2 100644 --- a/package/madwifi/patches/451-ibss_race_fix.patch +++ b/package/madwifi/patches/451-ibss_race_fix.patch @@ -53,13 +53,13 @@ int found = 0; IEEE80211_LOCK_IRQ(vap->iv_ic); -@@ -3568,14 +3561,12 @@ ieee80211_recv_mgmt(struct ieee80211vap +@@ -3570,14 +3563,12 @@ ieee80211_recv_mgmt(struct ieee80211vap } } if (found) - ni = ni_or_null = avp->iv_wdsnode; + tni = ieee80211_ref_node(avp->iv_wdsnode); - } else if (vap->iv_opmode == IEEE80211_M_WDS) { + } else if ((vap->iv_opmode == IEEE80211_M_WDS) && vap->iv_wdsnode) { found = 1; - ni = ni_or_null = vap->iv_wdsnode; - } else if (vap->iv_opmode == IEEE80211_M_IBSS) { @@ -72,7 +72,7 @@ found = 1; } IEEE80211_UNLOCK_IRQ(vap->iv_ic); -@@ -3583,20 +3574,21 @@ ieee80211_recv_mgmt(struct ieee80211vap +@@ -3585,20 +3576,21 @@ ieee80211_recv_mgmt(struct ieee80211vap if (!found) break; @@ -100,7 +100,7 @@ } else { /* * Copy data from beacon to neighbor table. -@@ -3604,39 +3596,38 @@ ieee80211_recv_mgmt(struct ieee80211vap +@@ -3606,39 +3598,38 @@ ieee80211_recv_mgmt(struct ieee80211vap * ieee80211_add_neighbor(), so we just copy * everything over to be safe. */ -- 2.30.2