Return-path: Received: from mail-qy0-f174.google.com ([209.85.216.174]:41888 "EHLO mail-qy0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1758805Ab0JHR4Y convert rfc822-to-8bit (ORCPT ); Fri, 8 Oct 2010 13:56:24 -0400 Received: by qyk1 with SMTP id 1so246101qyk.19 for ; Fri, 08 Oct 2010 10:56:23 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <1286492072.20974.49.camel@jlt3.sipsolutions.net> References: <201009210057.13297.chunkeey@googlemail.com> <20100924180013.GD8077@tuxdriver.com> <201009250002.21219.chunkeey@googlemail.com> <1286492072.20974.49.camel@jlt3.sipsolutions.net> From: Javier Cardona Date: Fri, 8 Oct 2010 10:56:02 -0700 Message-ID: Subject: Re: [RFC v2] mac80211: fix possible null-pointer dereference To: Johannes Berg Cc: Steve deRosier , Christian Lamparter , "John W. Linville" , Luis Carlos Cobo , linux-wireless@vger.kernel.org Content-Type: text/plain; charset=ISO-8859-1 Sender: linux-wireless-owner@vger.kernel.org List-ID: Johannes, On Thu, Oct 7, 2010 at 3:54 PM, Johannes Berg wrote: >> Javier and I reviewed the patch and it definitely fixes a potential >> problem and is correct. ?Furthermore, applied to wireless-testing >> head, it passes all of our cases in our test bed. >> >> I think it's good to go. > > Err, are you positive? I think the code there is correct, apart from the > fact that it does no validation of > mgmt->u.action.u.plink_action.action_code whatsoever which may allow all > kinds of abuse :) > > The only action that's valid w/o having a station entry for the peer is > PLINK_OPEN, which makes perfect sense. We believe Christian's second patch fixes a null-pointer de-reference that would be triggered by a PLINK_OPEN frame with mismatching/incompatible mesh configuration. Let's analyze that case: void mesh_rx_plink_frame(...) (...) sta = sta_info_get(sdata, mgmt->sa); <-- will return null if (!sta && ftype != PLINK_OPEN) { <-- false for PLINK_OPEN frames (...) if (ftype != PLINK_CLOSE && (!mesh_matches_local(&elems, sdata))) { <-- true for PLINK_OPEN, non-compatible mesh config (...) spin_lock_bh(&sta->lock); <-- boom! The patch not only solves this problem, but also responds correctly to non-compatible PLINK_OPEN frames by generating a PLINK_CLOSE with the right reason code. Cheers, Javier