Date: Mon, 19 Feb 2024 16:10:21 GMT From: "Bjoern A. Zeeb" <bz@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: f7c8d5448446 - releng/13.3 - net80211: fix a NULL deref in ieee80211_sta_join1() Message-ID: <202402191610.41JGALVN035839@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch releng/13.3 has been updated by bz: URL: https://cgit.FreeBSD.org/src/commit/?id=f7c8d5448446a470baaca560f91c884e5ceeecc7 commit f7c8d5448446a470baaca560f91c884e5ceeecc7 Author: Bjoern A. Zeeb <bz@FreeBSD.org> AuthorDate: 2024-01-16 18:53:06 +0000 Commit: Bjoern A. Zeeb <bz@FreeBSD.org> CommitDate: 2024-02-19 16:07:06 +0000 net80211: fix a NULL deref in ieee80211_sta_join1() When ieee80211_sta_join1() gets an obss without ni_nt trying to lock that will cause a NULL pointer deref. Check for the table to be valid and deal with the obss node accordingly. This can happen if sta_newstate() calls ieee80211_reset_bss() for nstate == INIT and ostate != INIT. ieee80211_reset_bss() itself calls ieee80211_node_table_reset() which calls node_reclaim() which ends up in ieee80211_del_node_nt() which does remove the node from the table and sets ni_table to NULL. That node (former iv_bss) can then be returned as obss in the (*iv_update_bss)() call in join1(). Approved by: re (cperciva) Reviewed by: adrian, cc Differential Revision: https://reviews.freebsd.org/D43469 (cherry picked from commit 8a5a3e3d0436a2de9dc5c2c10bd9a471b6338233) (cherry picked from commit 755a04671dd47390f6d49695a6ac9c2d31c9935c) --- sys/net80211/ieee80211_node.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/sys/net80211/ieee80211_node.c b/sys/net80211/ieee80211_node.c index a70edfa3acc4..0f0ecf37fe94 100644 --- a/sys/net80211/ieee80211_node.c +++ b/sys/net80211/ieee80211_node.c @@ -867,11 +867,14 @@ ieee80211_sta_join1(struct ieee80211_node *selbs) struct ieee80211_node_table *nt = obss->ni_table; copy_bss(selbs, obss); - ieee80211_node_decref(obss); /* iv_bss reference */ - - IEEE80211_NODE_LOCK(nt); - node_reclaim(nt, obss); /* station table reference */ - IEEE80211_NODE_UNLOCK(nt); + if (nt != NULL) { + ieee80211_node_decref(obss); /* iv_bss reference */ + IEEE80211_NODE_LOCK(nt); + node_reclaim(nt, obss); /* station table reference */ + IEEE80211_NODE_UNLOCK(nt); + } else { + ieee80211_free_node(obss); /* iv_bss reference */ + } obss = NULL; /* NB: guard against later use */ }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202402191610.41JGALVN035839>