Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 10 May 2013 09:37:58 +0000 (UTC)
From:      Adrian Chadd <adrian@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r250442 - head/sys/net80211
Message-ID:  <201305100937.r4A9bwNq004735@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: adrian
Date: Fri May 10 09:37:58 2013
New Revision: 250442
URL: http://svnweb.freebsd.org/changeset/base/250442

Log:
  Fix a VAP BSS node reference in the HT code to actually take a reference
  before using said node.
  
  The "blessed" way here is to take a node reference before referencing
  anything inside the node, otherwise the node can be freed between
  the time the pointer is copied/dereferenced and the time the node contents
  are used.
  
  This mirrors fixes that I've done elsewhere in the net80211/driver
  stack.
  
  PR:		kern/178470

Modified:
  head/sys/net80211/ieee80211_ht.c

Modified: head/sys/net80211/ieee80211_ht.c
==============================================================================
--- head/sys/net80211/ieee80211_ht.c	Fri May 10 08:46:10 2013	(r250441)
+++ head/sys/net80211/ieee80211_ht.c	Fri May 10 09:37:58 2013	(r250442)
@@ -2773,11 +2773,15 @@ ieee80211_ht_update_beacon(struct ieee80
 	struct ieee80211_beacon_offsets *bo)
 {
 #define	PROTMODE	(IEEE80211_HTINFO_OPMODE|IEEE80211_HTINFO_NONHT_PRESENT)
-	const struct ieee80211_channel *bsschan = vap->iv_bss->ni_chan;
+	struct ieee80211_node *ni;
+	const struct ieee80211_channel *bsschan;
 	struct ieee80211com *ic = vap->iv_ic;
 	struct ieee80211_ie_htinfo *ht =
 	   (struct ieee80211_ie_htinfo *) bo->bo_htinfo;
 
+	ni = ieee80211_ref_node(vap->iv_bss);
+	bsschan = ni->ni_chan;
+
 	/* XXX only update on channel change */
 	ht->hi_ctrlchannel = ieee80211_chan2ieee(ic, bsschan);
 	if (vap->iv_flags_ht & IEEE80211_FHT_RIFS)
@@ -2796,6 +2800,8 @@ ieee80211_ht_update_beacon(struct ieee80
 	/* protection mode */
 	ht->hi_byte2 = (ht->hi_byte2 &~ PROTMODE) | ic->ic_curhtprotmode;
 
+	ieee80211_free_node(ni);
+
 	/* XXX propagate to vendor ie's */
 #undef PROTMODE
 }



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201305100937.r4A9bwNq004735>