Differential D43469

net80211: fix a NULL deref in ieee80211_sta_join1()
ClosedPublic
Actions

Authored by bz on Jan 16 2024, 7:00 PM.

Tags

None

Referenced Files

	F87031774: D43469.id133793.diff
	Fri, Jun 28, 1:46 PM

	Unknown Object (File)
	May 24 2024, 8:02 AM

	Unknown Object (File)
	May 17 2024, 6:02 AM

	Unknown Object (File)
	May 15 2024, 10:15 AM

	Unknown Object (File)
	May 15 2024, 7:22 AM

	Unknown Object (File)
	May 13 2024, 6:27 AM

	Unknown Object (File)
	May 13 2024, 3:10 AM

	Unknown Object (File)
	Apr 27 2024, 2:52 PM

View All 15 Files

Subscribers

Details

Reviewers

adrian
cc

Commits

rGf7c8d5448446: net80211: fix a NULL deref in ieee80211_sta_join1()
rG755a04671dd4: net80211: fix a NULL deref in ieee80211_sta_join1()
rG680fd9feb104: net80211: fix a NULL deref in ieee80211_sta_join1()
rG8a5a3e3d0436: net80211: fix a NULL deref in ieee80211_sta_join1()

Summary

When ieee80211_sta_join1() gets an obss without ni_nt trying to lock
that will cause a NULL pointer deref. Check for the table to be
valid and deal with the obss node accordingly.

This can happen if sta_newstate() calls ieee80211_reset_bss() for
nstate == INIT and ostate != INIT. ieee80211_reset_bss() itself
calls ieee80211_node_table_reset() which calls node_reclaim()
which ends up in ieee80211_del_node_nt() which does remove the
node from the table and sets ni_table to NULL.
That node (former iv_bss) can then be returned as obss in the
(*iv_update_bss)() call in join1().

MFC after: 3 days

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 55458
Build 52347: arc lint + arc unit

Event Timeline

bz created this revision.Jan 16 2024, 7:00 PM

Herald added subscribers: glebius, melifaro, imp. · View Herald TranscriptJan 16 2024, 7:00 PM

bz requested review of this revision.Jan 16 2024, 7:00 PM

Harbormaster completed remote builds in B55458: Diff 132843.Jan 16 2024, 7:00 PM

nice catch! The iv_bss reference issues strike again! :P

This revision is now accepted and ready to land.Jan 16 2024, 7:19 PM

cc accepted this revision.Jan 17 2024, 3:22 PM

Closed by commit rG8a5a3e3d0436: net80211: fix a NULL deref in ieee80211_sta_join1() (authored by bz). · Explain WhyFeb 3 2024, 1:55 PM

This revision was automatically updated to reflect the committed changes.

bz added a commit: rG8a5a3e3d0436: net80211: fix a NULL deref in ieee80211_sta_join1().

bz added a commit: rG680fd9feb104: net80211: fix a NULL deref in ieee80211_sta_join1().Feb 18 2024, 9:17 PM

bz added a commit: rG755a04671dd4: net80211: fix a NULL deref in ieee80211_sta_join1().Feb 19 2024, 8:09 AM

bz added a commit: rGf7c8d5448446: net80211: fix a NULL deref in ieee80211_sta_join1().Feb 19 2024, 4:10 PM

Revision Contents
Changeset List

Path

Size

sys/

net80211/

ieee80211_node.c

13 lines

Diff 132843

sys/net80211/ieee80211_node.c

Loading...