Commit fe100acd authored by Johannes Berg's avatar Johannes Berg Committed by John W. Linville

cfg80211: fix locking in action frame TX

Accesses to "wdev->current_bss" must be
locked with the wdev lock, which action
frame transmission is missing.

Cc: stable@kernel.org [2.6.33+]
Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent a9fda88b
...@@ -843,15 +843,21 @@ int cfg80211_mlme_action(struct cfg80211_registered_device *rdev, ...@@ -843,15 +843,21 @@ int cfg80211_mlme_action(struct cfg80211_registered_device *rdev,
return -EINVAL; return -EINVAL;
if (mgmt->u.action.category != WLAN_CATEGORY_PUBLIC) { if (mgmt->u.action.category != WLAN_CATEGORY_PUBLIC) {
/* Verify that we are associated with the destination AP */ /* Verify that we are associated with the destination AP */
wdev_lock(wdev);
if (!wdev->current_bss || if (!wdev->current_bss ||
memcmp(wdev->current_bss->pub.bssid, mgmt->bssid, memcmp(wdev->current_bss->pub.bssid, mgmt->bssid,
ETH_ALEN) != 0 || ETH_ALEN) != 0 ||
(wdev->iftype == NL80211_IFTYPE_STATION && (wdev->iftype == NL80211_IFTYPE_STATION &&
memcmp(wdev->current_bss->pub.bssid, mgmt->da, memcmp(wdev->current_bss->pub.bssid, mgmt->da,
ETH_ALEN) != 0)) ETH_ALEN) != 0)) {
wdev_unlock(wdev);
return -ENOTCONN; return -ENOTCONN;
} }
wdev_unlock(wdev);
}
if (memcmp(mgmt->sa, dev->dev_addr, ETH_ALEN) != 0) if (memcmp(mgmt->sa, dev->dev_addr, ETH_ALEN) != 0)
return -EINVAL; return -EINVAL;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment