Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 13 Mar 2011 12:56:46 +0000 (UTC)
From:      Bernhard Schmidt <bschmidt@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r219604 - head/sys/net80211
Message-ID:  <201103131256.p2DCukrp055298@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: bschmidt
Date: Sun Mar 13 12:56:46 2011
New Revision: 219604
URL: http://svn.freebsd.org/changeset/base/219604

Log:
  When injecting frames a temporary node is faked, during this several
  uses of ic_curchan occur. Due to the nature of a scan, switching
  channels constantly and all this happening without any kind of locks
  held, it might happen that ic_curchan points to nowhere leading to
  panics. Fix this by not allowing frame injections while in SCAN state.
  
  Tested by:	Paul B. Mahol <onemda at gmail.com>

Modified:
  head/sys/net80211/ieee80211_output.c

Modified: head/sys/net80211/ieee80211_output.c
==============================================================================
--- head/sys/net80211/ieee80211_output.c	Sun Mar 13 12:21:04 2011	(r219603)
+++ head/sys/net80211/ieee80211_output.c	Sun Mar 13 12:56:46 2011	(r219604)
@@ -419,7 +419,8 @@ ieee80211_output(struct ifnet *ifp, stru
 		    "block %s frame in CAC state\n", "raw data");
 		vap->iv_stats.is_tx_badstate++;
 		senderr(EIO);		/* XXX */
-	}
+	} else if (vap->iv_state == IEEE80211_S_SCAN)
+		senderr(EIO);
 	/* XXX bypass bridge, pfil, carp, etc. */
 
 	if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_ack))



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201103131256.p2DCukrp055298>