projects / GitHub / LineageOS / android_kernel_motorola_exynos9610.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e9024a0)
cfg80211: fix NULL ptr deref
authorJohannes Berg <johannes@sipsolutions.net>
Sat, 31 Oct 2009 06:40:37 +0000 (07:40 +0100)
committerJohn W. Linville <linville@tuxdriver.com>
Mon, 2 Nov 2009 20:14:07 +0000 (15:14 -0500)
commit 211a4d12abf86fe0df4cd68fc6327cbb58f56f81
  Author: Johannes Berg <johannes@sipsolutions.net>
  Date:   Tue Oct 20 15:08:53 2009 +0900

      cfg80211: sme: deauthenticate on assoc failure

introduced a potential NULL pointer dereference that
some people have been hitting for some reason -- the
params.bssid pointer is not guaranteed to be non-NULL
for what seems to be a race between various ways of
reaching the same thing.

While I'm trying to analyse the problem more let's
first fix the crash. I think the real fix may be to
avoid doing _anything_ if it ended up being NULL, but
right now I'm not sure yet.

I think
http://bugzilla.kernel.org/show_bug.cgi?id=14342
might also be this issue.

Reported-by: Parag Warudkar <parag.lkml@gmail.com>
Tested-by: Parag Warudkar <parag.lkml@gmail.com>
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
net/wireless/sme.c patch | blob | blame | history

diff --git a/net/wireless/sme.c b/net/wireless/sme.c
index ece378d531ef98b69122068d1a9f0fc746f83356..9f0b2800a9d7084e198224c178b947779fe63a24 100644 (file)
--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@@ -165,7 +165,7 @@ void cfg80211_conn_work(struct work_struct *work)
        struct cfg80211_registered_device *rdev =
                container_of(work, struct cfg80211_registered_device, conn_work);
        struct wireless_dev *wdev;
-       u8 bssid[ETH_ALEN];
+       u8 bssid_buf[ETH_ALEN], *bssid = NULL;
 
        rtnl_lock();
        cfg80211_lock_rdev(rdev);
@@ -181,7 +181,10 @@ void cfg80211_conn_work(struct work_struct *work)
                        wdev_unlock(wdev);
                        continue;
                }
-               memcpy(bssid, wdev->conn->params.bssid, ETH_ALEN);
+               if (wdev->conn->params.bssid) {
+                       memcpy(bssid_buf, wdev->conn->params.bssid, ETH_ALEN);
+                       bssid = bssid_buf;
+               }
                if (cfg80211_conn_do_work(wdev))
                        __cfg80211_connect_result(
                                        wdev->netdev, bssid,