When injecting frames a temporary node is faked, during this several

uses of ic_curchan occur. Due to the nature of a scan, switching channels constantly and all this happening without any kind of locks held, it might happen that ic_curchan points to nowhere leading to panics. Fix this by not allowing frame injections while in SCAN state. Tested by: Paul B. Mahol <onemda at gmail.com>
svn path=/head/; revision=219604
2011-03-13 12:56:46 +00:00 · 2011-03-13 12:56:46 +00:00 · 0d9aed8ad6 · 2020-12-20 02:59:44 +00:00
commit 0d9aed8ad6
parent 9d36b055fd
1 changed files with 2 additions and 1 deletions
--- a/sys/net80211/ieee80211_output.c
+++ b/sys/net80211/ieee80211_output.c
@ -419,7 +419,8 @@ ieee80211_output(struct ifnet *ifp, struct mbuf *m,
 		    "block %s frame in CAC state\n", "raw data");
 		vap->iv_stats.is_tx_badstate++;
 		senderr(EIO);		/* XXX */
-	}
+	} else if (vap->iv_state == IEEE80211_S_SCAN)
+		senderr(EIO);
 	/* XXX bypass bridge, pfil, carp, etc. */

 	if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_ack))