2010-01-23 18:27:19

by Kalle Valo

[permalink] [raw]
Subject: [PATCH] mac80211: fix tx select key null pointer crash with hostapd

Pavel Roskin reported a crash in ieee80211_tx_h_select_key():

http://marc.info/?l=linux-wireless&m=126419655108528&w=2

This is a regression from patch "mac80211: move control.hw_key assignment".
Fix it as suggested by Johannes, adding an else statement to make sure
that tx->key is not accessed when it's null.

Compile-tested only.

Reported-by: Pavel Roskin <[email protected]>
Cc: Johannes Berg <[email protected]>
Signed-off-by: Kalle Valo <[email protected]>
---
net/mac80211/tx.c | 7 ++++---
1 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index fcfa988..d017b35 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -547,9 +547,10 @@ ieee80211_tx_h_select_key(struct ieee80211_tx_data *tx)
!ieee80211_use_mfp(hdr->frame_control, tx->sta,
tx->skb))
tx->key = NULL;
- skip_hw = (tx->key->conf.flags &
- IEEE80211_KEY_FLAG_SW_MGMT) &&
- ieee80211_is_mgmt(hdr->frame_control);
+ else
+ skip_hw = (tx->key->conf.flags &
+ IEEE80211_KEY_FLAG_SW_MGMT) &&
+ ieee80211_is_mgmt(hdr->frame_control);
break;
case ALG_AES_CMAC:
if (!ieee80211_is_mgmt(hdr->frame_control))



2010-01-23 19:01:59

by Bob Copeland

[permalink] [raw]
Subject: Re: [PATCH] mac80211: fix tx select key null pointer crash with hostapd

On Sat, Jan 23, 2010 at 1:27 PM, Kalle Valo <[email protected]> wrote:
> Pavel Roskin reported a crash in ieee80211_tx_h_select_key():
>
> http://marc.info/?l=linux-wireless&m=126419655108528&w=2
>
> This is a regression from patch "mac80211: move control.hw_key assignment".
> Fix it as suggested by Johannes, adding an else statement to make sure
> that tx->key is not accessed when it's null.
>
> Compile-tested only.
>
> Reported-by: Pavel Roskin <[email protected]>
> Cc: Johannes Berg <[email protected]>
> Signed-off-by: Kalle Valo <[email protected]>

Tested-by: Bob Copeland <[email protected]>

Thanks!

--
Bob Copeland %% http://www.bobcopeland.com

2010-01-23 18:33:10

by Kalle Valo

[permalink] [raw]
Subject: Re: [PATCH] mac80211: fix tx select key null pointer crash with hostapd

Kalle Valo <[email protected]> writes:

> Pavel Roskin reported a crash in ieee80211_tx_h_select_key():
>
> http://marc.info/?l=linux-wireless&m=126419655108528&w=2
>
> This is a regression from patch "mac80211: move control.hw_key assignment".
> Fix it as suggested by Johannes, adding an else statement to make sure
> that tx->key is not accessed when it's null.

Paul, if you have the time, please try this patch. It should solve
your issue.

In case you are not subcribed to the list, the patch is here:

http://marc.info/?l=linux-wireless&m=126427124317427&w=2

--
Kalle Valo