d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix a use-after-free bug in the Atheros fast-frames support.

Browse Source 
Tested:

* AR5212 AP, AR5413 STA, iperf TCP STA->AP, destroyed and/or shutdown
  the STA vap during active iperf TCP traffic.

PR:		kern/174273
MFC after:	1 week
This commit is contained in:
Adrian Chadd 2012-12-08 09:48:03 +00:00
parent b0ae014466
commit 132581aa5d
1 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
sys/net80211/ieee80211_superg.c
View File

@ -784,7 +784,7 @@ ieee80211_ff_node_cleanup(struct ieee80211_node *ni)
struct ieee80211com *ic = ni->ni_ic; struct ieee80211com *ic = ni->ni_ic;
struct ieee80211_superg *sg = ic->ic_superg; struct ieee80211_superg *sg = ic->ic_superg;
struct ieee80211_tx_ampdu *tap; struct ieee80211_tx_ampdu *tap;
struct mbuf *m, *head; struct mbuf *m, *next_m, *head;
int tid; int tid;
IEEE80211_LOCK(ic); IEEE80211_LOCK(ic);
@ -803,9 +803,16 @@ ieee80211_ff_node_cleanup(struct ieee80211_node *ni)
} }
IEEE80211_UNLOCK(ic); IEEE80211_UNLOCK(ic);
for (m = head; m != NULL; m = m->m_nextpkt) { /*
* Free mbufs, taking care to not dereference the mbuf after
* we free it (hence grabbing m_nextpkt before we free it.)
*/
m = head;
while (m != NULL) {
next_m = m->m_nextpkt;
m_freem(m); m_freem(m);
ieee80211_free_node(ni); ieee80211_free_node(ni);
m = next_m;
} }
} }