lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200115135338.14374-48-Jerome.Pouiller@silabs.com> Date: Wed, 15 Jan 2020 13:55:10 +0000 From: Jérôme Pouiller <Jerome.Pouiller@...abs.com> To: "devel@...verdev.osuosl.org" <devel@...verdev.osuosl.org>, "linux-wireless@...r.kernel.org" <linux-wireless@...r.kernel.org> CC: "netdev@...r.kernel.org" <netdev@...r.kernel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Kalle Valo <kvalo@...eaurora.org>, "David S . Miller" <davem@...emloft.net>, Jérôme Pouiller <Jerome.Pouiller@...abs.com> Subject: [PATCH v2 47/65] staging: wfx: fix bss_loss From: Jérôme Pouiller <jerome.pouiller@...abs.com> wfx_tx_confirm_cb() retrieves the station associated with a frame using the MAC address from the 802.11 header. In the other side wfx_tx() retrieves the station using sta field from the ieee80211_tx_control argument. In wfx_cqm_bssloss_sm(), wfx_tx() was called directly without valid sta field, but with a valid MAC address in 802.11 header. So there the processing of this packet was unbalanced and may produce weird bugs. Signed-off-by: Jérôme Pouiller <jerome.pouiller@...abs.com> --- drivers/staging/wfx/sta.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/staging/wfx/sta.c b/drivers/staging/wfx/sta.c index aebce96dcd4a..1c10ebd11944 100644 --- a/drivers/staging/wfx/sta.c +++ b/drivers/staging/wfx/sta.c @@ -88,19 +88,25 @@ void wfx_cqm_bssloss_sm(struct wfx_vif *wvif, int init, int good, int bad) // FIXME: call ieee80211_beacon_loss/ieee80211_connection_loss instead if (tx) { struct sk_buff *skb; + struct ieee80211_hdr *hdr; + struct ieee80211_tx_control control = { }; wvif->bss_loss_state++; skb = ieee80211_nullfunc_get(wvif->wdev->hw, wvif->vif, false); if (!skb) goto end; + hdr = (struct ieee80211_hdr *)skb->data; memset(IEEE80211_SKB_CB(skb), 0, sizeof(*IEEE80211_SKB_CB(skb))); IEEE80211_SKB_CB(skb)->control.vif = wvif->vif; IEEE80211_SKB_CB(skb)->driver_rates[0].idx = 0; IEEE80211_SKB_CB(skb)->driver_rates[0].count = 1; IEEE80211_SKB_CB(skb)->driver_rates[1].idx = -1; - wfx_tx(wvif->wdev->hw, NULL, skb); + rcu_read_lock(); // protect control.sta + control.sta = ieee80211_find_sta(wvif->vif, hdr->addr1); + wfx_tx(wvif->wdev->hw, &control, skb); + rcu_read_unlock(); } end: mutex_unlock(&wvif->bss_loss_lock); -- 2.25.0
Powered by blists - more mailing lists