svn commit: r195384 - projects/mesh11s/sys/net80211
Sam Leffler
sam at FreeBSD.org
Sun Jul 5 21:35:06 UTC 2009
Author: sam
Date: Sun Jul 5 21:35:05 2009
New Revision: 195384
URL: http://svn.freebsd.org/changeset/base/195384
Log:
o clear vap pointers to private state to catch use-after-free instances
o fix use-after-free problem on mesh detach; the last reference to
the bss node is reclaimed after mesh (and hwmp) state has been
reclaimed so must not touch anything outside the node (or that
we know is still accessible)
Modified:
projects/mesh11s/sys/net80211/ieee80211_hwmp.c
projects/mesh11s/sys/net80211/ieee80211_mesh.c
Modified: projects/mesh11s/sys/net80211/ieee80211_hwmp.c
==============================================================================
--- projects/mesh11s/sys/net80211/ieee80211_hwmp.c Sun Jul 5 21:19:10 2009 (r195383)
+++ projects/mesh11s/sys/net80211/ieee80211_hwmp.c Sun Jul 5 21:35:05 2009 (r195384)
@@ -302,6 +302,7 @@ ieee80211_hwmp_vdetach(struct ieee80211v
callout_drain(&hs->hs_roottimer);
mtx_destroy(&hs->hs_lock);
free(vap->iv_hwmp, M_80211_HWMP);
+ vap->iv_hwmp = NULL;
}
int
Modified: projects/mesh11s/sys/net80211/ieee80211_mesh.c
==============================================================================
--- projects/mesh11s/sys/net80211/ieee80211_mesh.c Sun Jul 5 21:19:10 2009 (r195383)
+++ projects/mesh11s/sys/net80211/ieee80211_mesh.c Sun Jul 5 21:35:05 2009 (r195384)
@@ -177,6 +177,7 @@ mesh_vdetach(struct ieee80211vap *vap)
NULL);
ieee80211_hwmp_vdetach(vap);
free(vap->iv_mesh, M_80211_VAP);
+ vap->iv_mesh = NULL;
}
static void
@@ -2099,8 +2100,12 @@ ieee80211_mesh_node_init(struct ieee8021
void
ieee80211_mesh_node_cleanup(struct ieee80211_node *ni)
{
+ struct ieee80211vap *vap = ni->ni_vap;
+
callout_drain(&ni->ni_mltimer);
- ieee80211_hwmp_peerdown(ni);
+ /* NB: short-circuit callbacks after mesh_vdetach */
+ if (vap->iv_mesh != NULL)
+ ieee80211_hwmp_peerdown(ni);
}
void
More information about the svn-src-projects
mailing list