Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 5 Jul 2009 21:35:05 +0000 (UTC)
From:      Sam Leffler <sam@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-projects@freebsd.org
Subject:   svn commit: r195384 - projects/mesh11s/sys/net80211
Message-ID:  <200907052135.n65LZ5JJ060318@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: sam
Date: Sun Jul  5 21:35:05 2009
New Revision: 195384
URL: http://svn.freebsd.org/changeset/base/195384

Log:
  o clear vap pointers to private state to catch use-after-free instances
  o fix use-after-free problem on mesh detach; the last reference to
    the bss node is reclaimed after mesh (and hwmp) state has been
    reclaimed so must not touch anything outside the node (or that
    we know is still accessible)

Modified:
  projects/mesh11s/sys/net80211/ieee80211_hwmp.c
  projects/mesh11s/sys/net80211/ieee80211_mesh.c

Modified: projects/mesh11s/sys/net80211/ieee80211_hwmp.c
==============================================================================
--- projects/mesh11s/sys/net80211/ieee80211_hwmp.c	Sun Jul  5 21:19:10 2009	(r195383)
+++ projects/mesh11s/sys/net80211/ieee80211_hwmp.c	Sun Jul  5 21:35:05 2009	(r195384)
@@ -302,6 +302,7 @@ ieee80211_hwmp_vdetach(struct ieee80211v
 		callout_drain(&hs->hs_roottimer);
 	mtx_destroy(&hs->hs_lock);
 	free(vap->iv_hwmp, M_80211_HWMP);
+	vap->iv_hwmp = NULL;
 } 
 
 int

Modified: projects/mesh11s/sys/net80211/ieee80211_mesh.c
==============================================================================
--- projects/mesh11s/sys/net80211/ieee80211_mesh.c	Sun Jul  5 21:19:10 2009	(r195383)
+++ projects/mesh11s/sys/net80211/ieee80211_mesh.c	Sun Jul  5 21:35:05 2009	(r195384)
@@ -177,6 +177,7 @@ mesh_vdetach(struct ieee80211vap *vap)
 	    NULL);
 	ieee80211_hwmp_vdetach(vap);
 	free(vap->iv_mesh, M_80211_VAP);
+	vap->iv_mesh = NULL;
 }
 
 static void
@@ -2099,8 +2100,12 @@ ieee80211_mesh_node_init(struct ieee8021
 void
 ieee80211_mesh_node_cleanup(struct ieee80211_node *ni)
 {
+	struct ieee80211vap *vap = ni->ni_vap;
+
 	callout_drain(&ni->ni_mltimer);
-	ieee80211_hwmp_peerdown(ni);
+	/* NB: short-circuit callbacks after mesh_vdetach */
+	if (vap->iv_mesh != NULL)
+		ieee80211_hwmp_peerdown(ni);
 }
 
 void

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200907052135.n65LZ5JJ060318>