Commit 7400f42e authored Oct 31, 2009 by Johannes Berg Committed by John W. Linville Nov 02, 2009

cfg80211: fix NULL ptr deref

commit 211a4d12abf86fe0df4cd68fc6327cbb58f56f81
  Author: Johannes Berg <johannes@sipsolutions.net>
  Date:   Tue Oct 20 15:08:53 2009 +0900

      cfg80211: sme: deauthenticate on assoc failure

introduced a potential NULL pointer dereference that
some people have been hitting for some reason -- the
params.bssid pointer is not guaranteed to be non-NULL
for what seems to be a race between various ways of
reaching the same thing.

While I'm trying to analyse the problem more let's
first fix the crash. I think the real fix may be to
avoid doing _anything_ if it ended up being NULL, but
right now I'm not sure yet.

I think
http://bugzilla.kernel.org/show_bug.cgi?id=14342


might also be this issue.

Reported-by: Parag Warudkar <parag.lkml@gmail.com>
Tested-by: Parag Warudkar <parag.lkml@gmail.com>
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

parent e9024a05

net/wireless/sme.c

+5 −2

Original line number	Diff line number	Diff line
		@@ -165,7 +165,7 @@ void cfg80211_conn_work(struct work_struct *work)
		struct cfg80211_registered_device *rdev =
		container_of(work, struct cfg80211_registered_device, conn_work);
		struct wireless_dev *wdev;
		u8 bssid[ETH_ALEN];
		u8 bssid_buf[ETH_ALEN], *bssid = NULL;

		rtnl_lock();
		cfg80211_lock_rdev(rdev);
		@@ -181,7 +181,10 @@ void cfg80211_conn_work(struct work_struct *work)
		wdev_unlock(wdev);
		continue;
		}
		memcpy(bssid, wdev->conn->params.bssid, ETH_ALEN);
		if (wdev->conn->params.bssid) {
		memcpy(bssid_buf, wdev->conn->params.bssid, ETH_ALEN);
		bssid = bssid_buf;
		}
		if (cfg80211_conn_do_work(wdev))
		__cfg80211_connect_result(
		wdev->netdev, bssid,