2008-12-17 11:30:38

by Jouni Malinen

[permalink] [raw]
Subject: [PATCH] ath9k: Fix a NULL pointer dereference in ath_rate_get

It looks like mac80211 may try to send unicast frames to a STA that
does not have a STA entry. We need to make sure that that is caught in
the rate control code before dereferencing STA data.

Signed-off-by: Jouni Malinen <[email protected]>
---
drivers/net/wireless/ath9k/rc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- wireless-testing.orig/drivers/net/wireless/ath9k/rc.c 2008-12-17 12:37:50.000000000 +0200
+++ wireless-testing/drivers/net/wireless/ath9k/rc.c 2008-12-17 13:00:38.000000000 +0200
@@ -1498,7 +1498,8 @@ static void ath_get_rate(void *priv, str
__le16 fc = hdr->frame_control;

/* lowest rate for management and multicast/broadcast frames */
- if (!ieee80211_is_data(fc) || is_multicast_ether_addr(hdr->addr1)) {
+ if (!ieee80211_is_data(fc) || is_multicast_ether_addr(hdr->addr1) ||
+ !sta) {
tx_info->control.rates[0].idx = rate_lowest_index(sband, sta);
tx_info->control.rates[0].count =
is_multicast_ether_addr(hdr->addr1) ? 1 : ATH_MGT_TXMAXTRY;

--
Jouni Malinen PGP id EFC895FA


2008-12-17 12:25:28

by Christian Lamparter

[permalink] [raw]
Subject: Re: [PATCH] ath9k: Fix a NULL pointer dereference in ath_rate_get

On Wednesday 17 December 2008 13:02:50 Jouni Malinen wrote:
> On Wed, Dec 17, 2008 at 12:30:56PM +0100, Johannes Berg wrote:
> > On Wed, 2008-12-17 at 13:30 +0200, Jouni Malinen wrote:
> > > It looks like mac80211 may try to send unicast frames to a STA that
> > > does not have a STA entry. We need to make sure that that is caught in
> > > the rate control code before dereferencing STA data.
> >
> > This should only happen for injected packets, can you verify? OTOH, AP
> > mode obviously has injected packets (auth response, ...)
>
> I did not check what the exact frame was, but this was indeed in AP mode
> and the frame was most likely from hostapd and as such, an injected
> packet.
>

hostapd: wlan1: STA XX:XX:XX:XX:0d IEEE 802.11: authenticated
kernel: [ 3130.431067] ------------[ cut here ]------------
kernel: [ 3130.431076] WARNING: at net/mac80211/rc80211_minstrel.c:69 minstrel_rate_init+0xb8/0x320 [mac80211]()
kernel: [ 3130.431081] Modules linked in: p54usb p54pci p54common [...]
kernel: [ 3130.431300] Pid: 16961, comm: hostapd2 Tainted: P 2.6.28-rc7-wl #3
[ 3130.431305] Call Trace:
[ 3130.431318] [<ffffffff802343c1>] warn_on_slowpath+0x51/0x75
[ 3130.431329] [<ffffffff803d74b0>] rb_insert_color+0xba/0xe2
[ 3130.431338] [<ffffffff802480ef>] __remove_hrtimer+0x7c/0x88
[ 3130.431375] [<ffffffffa00bd30e>] minstrel_rate_init+0xb8/0x320 [mac80211]
[ 3130.431417] [<ffffffffa00ae713>] ieee80211_add_station+0x145/0x17d [mac80211]
hostapd: wlan1: STA XX:XX:XX:XX:0d IEEE 802.11: associated (aid 1, accounting session 494187DD-00000000)
kernel: [ 3130.431440] [<ffffffffa00897af>] nl80211_new_station+0x1b3/0x20b [cfg80211]
kernel: [ 3130.431450] [<ffffffff80595691>] mutex_lock+0xd/0x1e
kernel: [ 3130.431459] [<ffffffff804f6f86>] nla_parse+0x4b/0xb2

yup, the Warning just happend right between auth and assoc

Regards,
Chr

2008-12-17 11:51:02

by Johannes Berg

[permalink] [raw]
Subject: Re: [PATCH] ath9k: Fix a NULL pointer dereference in ath_rate_get

On Wed, 2008-12-17 at 13:30 +0200, Jouni Malinen wrote:
> It looks like mac80211 may try to send unicast frames to a STA that
> does not have a STA entry. We need to make sure that that is caught in
> the rate control code before dereferencing STA data.

This should only happen for injected packets, can you verify? OTOH, AP
mode obviously has injected packets (auth response, ...)

johannes


2008-12-17 12:03:15

by Jouni Malinen

[permalink] [raw]
Subject: Re: [PATCH] ath9k: Fix a NULL pointer dereference in ath_rate_get

On Wed, Dec 17, 2008 at 12:30:56PM +0100, Johannes Berg wrote:
> On Wed, 2008-12-17 at 13:30 +0200, Jouni Malinen wrote:
> > It looks like mac80211 may try to send unicast frames to a STA that
> > does not have a STA entry. We need to make sure that that is caught in
> > the rate control code before dereferencing STA data.
>
> This should only happen for injected packets, can you verify? OTOH, AP
> mode obviously has injected packets (auth response, ...)

I did not check what the exact frame was, but this was indeed in AP mode
and the frame was most likely from hostapd and as such, an injected
packet.

--
Jouni Malinen PGP id EFC895FA

2008-12-17 12:36:04

by Johannes Berg

[permalink] [raw]
Subject: Re: [PATCH] ath9k: Fix a NULL pointer dereference in ath_rate_get

On Wed, 2008-12-17 at 13:25 +0100, Christian Lamparter wrote:

> hostapd: wlan1: STA XX:XX:XX:XX:0d IEEE 802.11: authenticated
> kernel: [ 3130.431067] ------------[ cut here ]------------
> kernel: [ 3130.431076] WARNING: at net/mac80211/rc80211_minstrel.c:69 minstrel_rate_init+0xb8/0x320 [mac80211]()
> kernel: [ 3130.431081] Modules linked in: p54usb p54pci p54common [...]
> kernel: [ 3130.431300] Pid: 16961, comm: hostapd2 Tainted: P 2.6.28-rc7-wl #3
> [ 3130.431305] Call Trace:
> [ 3130.431318] [<ffffffff802343c1>] warn_on_slowpath+0x51/0x75
> [ 3130.431329] [<ffffffff803d74b0>] rb_insert_color+0xba/0xe2
> [ 3130.431338] [<ffffffff802480ef>] __remove_hrtimer+0x7c/0x88
> [ 3130.431375] [<ffffffffa00bd30e>] minstrel_rate_init+0xb8/0x320 [mac80211]
> [ 3130.431417] [<ffffffffa00ae713>] ieee80211_add_station+0x145/0x17d [mac80211]
> hostapd: wlan1: STA XX:XX:XX:XX:0d IEEE 802.11: associated (aid 1, accounting session 494187DD-00000000)
> kernel: [ 3130.431440] [<ffffffffa00897af>] nl80211_new_station+0x1b3/0x20b [cfg80211]
> kernel: [ 3130.431450] [<ffffffff80595691>] mutex_lock+0xd/0x1e
> kernel: [ 3130.431459] [<ffffffff804f6f86>] nla_parse+0x4b/0xb2
>
> yup, the Warning just happend right between auth and assoc

This, umm, seems totally unrelated since Jouni was fixing something in
ath9k's RC algorithm.

johannes


2008-12-17 13:02:11

by Christian Lamparter

[permalink] [raw]
Subject: Re: [PATCH] ath9k: Fix a NULL pointer dereference in ath_rate_get

On Wednesday 17 December 2008 13:21:04 Johannes Berg wrote:
> On Wed, 2008-12-17 at 13:25 +0100, Christian Lamparter wrote:
>
> > hostapd: wlan1: STA XX:XX:XX:XX:0d IEEE 802.11: authenticated
> > kernel: [ 3130.431067] ------------[ cut here ]------------
> > kernel: [ 3130.431076] WARNING: at net/mac80211/rc80211_minstrel.c:69 minstrel_rate_init+0xb8/0x320 [mac80211]()
> > kernel: [ 3130.431081] Modules linked in: p54usb p54pci p54common [...]
> > kernel: [ 3130.431300] Pid: 16961, comm: hostapd2 Tainted: P 2.6.28-rc7-wl #3
> > [ 3130.431305] Call Trace:
> > [ 3130.431318] [<ffffffff802343c1>] warn_on_slowpath+0x51/0x75
> > [ 3130.431329] [<ffffffff803d74b0>] rb_insert_color+0xba/0xe2
> > [ 3130.431338] [<ffffffff802480ef>] __remove_hrtimer+0x7c/0x88
> > [ 3130.431375] [<ffffffffa00bd30e>] minstrel_rate_init+0xb8/0x320 [mac80211]
> > [ 3130.431417] [<ffffffffa00ae713>] ieee80211_add_station+0x145/0x17d [mac80211]
> > hostapd: wlan1: STA XX:XX:XX:XX:0d IEEE 802.11: associated (aid 1, accounting session 494187DD-00000000)
> > kernel: [ 3130.431440] [<ffffffffa00897af>] nl80211_new_station+0x1b3/0x20b [cfg80211]
> > kernel: [ 3130.431450] [<ffffffff80595691>] mutex_lock+0xd/0x1e
> > kernel: [ 3130.431459] [<ffffffff804f6f86>] nla_parse+0x4b/0xb2
> >
> > yup, the Warning just happend right between auth and assoc
>
> This, umm, seems totally unrelated since Jouni was fixing something in
> ath9k's RC algorithm.
>
hmm, I wanted to point out that not only ath9k's RC algorithm has problems with
uninitialized/dereferenced sta... as he said in his patch description:

"It looks like mac80211 may try to send unicast frames to a STA that does not have a STA entry. "

But if this is a unrelated problem... Sorry!!!

Regards,
Chr