From: Mohammed Shafi Shajakhan <[email protected]>
In our Fuz testing, reference client corrupts the dest mac to "00:00:00:00:00:00"
in the WPA2 handshake no 2. During driver init the sta_list entries mac
addresses are by default "00:00:00:00:00:00". Driver returns an invalid
pointer (conn) and the drver shall crash, if rxtids (aggr_conn)
skb queues are accessed, since they would not be initialized.
Signed-off-by: Mohammed Shafi Shajakhan <[email protected]>
---
drivers/net/wireless/ath/ath6kl/main.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/wireless/ath/ath6kl/main.c b/drivers/net/wireless/ath/ath6kl/main.c
index d4fcfca..5839fc2 100644
--- a/drivers/net/wireless/ath/ath6kl/main.c
+++ b/drivers/net/wireless/ath/ath6kl/main.c
@@ -29,6 +29,9 @@ struct ath6kl_sta *ath6kl_find_sta(struct ath6kl_vif *vif, u8 *node_addr)
struct ath6kl_sta *conn = NULL;
u8 i, max_conn;
+ if (is_zero_ether_addr(node_addr))
+ return NULL;
+
max_conn = (vif->nw_type == AP_NETWORK) ? AP_MAX_NUM_STA : 0;
for (i = 0; i < max_conn; i++) {
--
1.7.9.5
Mohammed Shafi Shajakhan <[email protected]> writes:
> From: Mohammed Shafi Shajakhan <[email protected]>
>
> In our Fuz testing, reference client corrupts the dest mac to "00:00:00:00:00:00"
> in the WPA2 handshake no 2. During driver init the sta_list entries mac
> addresses are by default "00:00:00:00:00:00". Driver returns an invalid
> pointer (conn) and the drver shall crash, if rxtids (aggr_conn)
> skb queues are accessed, since they would not be initialized.
>
> Signed-off-by: Mohammed Shafi Shajakhan <[email protected]>
Thanks, applied.
I just did s/ath6kl :/ath6kl:/ in the subject.
--
Kalle Valo