• Johannes Berg's avatar
    mac80211: fix two remote exploits · 4253119a
    Johannes Berg authored
    Lennert Buytenhek noticed a remotely triggerable problem
    in mac80211, which is due to some code shuffling I did
    that ended up changing the order in which things were
    done -- this was in
    
      commit d75636ef
      Author: Johannes Berg <johannes@sipsolutions.net>
      Date:   Tue Feb 10 21:25:53 2009 +0100
    
        mac80211: RX aggregation: clean up stop session
    
    The problem is that the BUG_ON moved before the various
    checks, and as such can be triggered.
    
    As the comment indicates, the BUG_ON can be removed since
    the ampdu_action callback must already exist when the
    state is OPERATIONAL.
    
    A similar code path leads to a WARN_ON in
    ieee80211_stop_tx_ba_session, which can also be removed.
    
    Cc: stable@kernel.org [2.6.29+]
    Cc: Lennert Buytenhek <buytenh@marvell.com>
    Signed-off-by: default avatarJohannes Berg <johannes@sipsolutions.net>
    Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
    4253119a
agg-rx.c 9.68 KB