[055/119] mac80211: fix two remote exploits

From: Greg KH
Date: Sun Dec 06 2009 - 19:26:56 EST

Next message: Greg KH: "[059/119] thinkpad-acpi: fix sign of ERESTARTSYS return"
Previous message: Greg KH: "[061/119] V4L/DVB (13436): cxusb: Fix hang on DViCO FusionHDTV DVB-T Dual Digital 4 (rev 1)"
In reply to: Greg KH: "[061/119] V4L/DVB (13436): cxusb: Fix hang on DViCO FusionHDTV DVB-T Dual Digital 4 (rev 1)"
Next in thread: Greg KH: "[059/119] thinkpad-acpi: fix sign of ERESTARTSYS return"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

2.6.31-stable review patch. If anyone has any objections, please let us know.

------------------
From: Johannes Berg <johannes@xxxxxxxxxxxxxxxx>

commit 4253119acf412fd686ef4bd8749b5a4d70ea3a51 upstream.

Lennert Buytenhek noticed a remotely triggerable problem
in mac80211, which is due to some code shuffling I did
that ended up changing the order in which things were
done -- this was in

commit d75636ef9c1af224f1097941879d5a8db7cd04e5
Author: Johannes Berg <johannes@xxxxxxxxxxxxxxxx>
Date: Tue Feb 10 21:25:53 2009 +0100

mac80211: RX aggregation: clean up stop session

The problem is that the BUG_ON moved before the various
checks, and as such can be triggered.

As the comment indicates, the BUG_ON can be removed since
the ampdu_action callback must already exist when the
state is OPERATIONAL.

A similar code path leads to a WARN_ON in
ieee80211_stop_tx_ba_session, which can also be removed.

Cc: Lennert Buytenhek <buytenh@xxxxxxxxxxx>
Signed-off-by: Johannes Berg <johannes@xxxxxxxxxxxxxxxx>
Signed-off-by: John W. Linville <linville@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>

---
net/mac80211/agg-rx.c | 4 ----
net/mac80211/agg-tx.c | 2 +-
2 files changed, 1 insertion(+), 5 deletions(-)

--- a/net/mac80211/agg-rx.c
+++ b/net/mac80211/agg-rx.c
@@ -85,10 +85,6 @@ void ieee80211_sta_stop_rx_ba_session(st
struct ieee80211_local *local = sdata->local;
struct sta_info *sta;

- /* stop HW Rx aggregation. ampdu_action existence
- * already verified in session init so we add the BUG_ON */
- BUG_ON(!local->ops->ampdu_action);
-
rcu_read_lock();

sta = sta_info_get(local, ra);
--- a/net/mac80211/agg-tx.c
+++ b/net/mac80211/agg-tx.c
@@ -546,7 +546,7 @@ int ieee80211_stop_tx_ba_session(struct
struct sta_info *sta;
int ret = 0;

- if (WARN_ON(!local->ops->ampdu_action))
+ if (!local->ops->ampdu_action)
return -EINVAL;

if (tid >= STA_TID_NUM)

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Greg KH: "[059/119] thinkpad-acpi: fix sign of ERESTARTSYS return"
Previous message: Greg KH: "[061/119] V4L/DVB (13436): cxusb: Fix hang on DViCO FusionHDTV DVB-T Dual Digital 4 (rev 1)"
In reply to: Greg KH: "[061/119] V4L/DVB (13436): cxusb: Fix hang on DViCO FusionHDTV DVB-T Dual Digital 4 (rev 1)"
Next in thread: Greg KH: "[059/119] thinkpad-acpi: fix sign of ERESTARTSYS return"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]