summaryrefslogtreecommitdiffstats
path: root/sys/net80211/ieee80211_superg.c
diff options
context:
space:
mode:
authoradrian <adrian@FreeBSD.org>2012-12-08 09:48:03 +0000
committeradrian <adrian@FreeBSD.org>2012-12-08 09:48:03 +0000
commit47e04cdf7b1938228ba72fcbf7f45934af357638 (patch)
treead3200508a2f5f13b6cbc9d70d49302281c61c29 /sys/net80211/ieee80211_superg.c
parentfc894920846310fe32dd7fbf77ca03f7fb1c5dd9 (diff)
downloadFreeBSD-src-47e04cdf7b1938228ba72fcbf7f45934af357638.zip
FreeBSD-src-47e04cdf7b1938228ba72fcbf7f45934af357638.tar.gz
Fix a use-after-free bug in the Atheros fast-frames support.
Tested: * AR5212 AP, AR5413 STA, iperf TCP STA->AP, destroyed and/or shutdown the STA vap during active iperf TCP traffic. PR: kern/174273 MFC after: 1 week
Diffstat (limited to 'sys/net80211/ieee80211_superg.c')
-rw-r--r--sys/net80211/ieee80211_superg.c11
1 files changed, 9 insertions, 2 deletions
diff --git a/sys/net80211/ieee80211_superg.c b/sys/net80211/ieee80211_superg.c
index a061929..bb208a7 100644
--- a/sys/net80211/ieee80211_superg.c
+++ b/sys/net80211/ieee80211_superg.c
@@ -784,7 +784,7 @@ ieee80211_ff_node_cleanup(struct ieee80211_node *ni)
struct ieee80211com *ic = ni->ni_ic;
struct ieee80211_superg *sg = ic->ic_superg;
struct ieee80211_tx_ampdu *tap;
- struct mbuf *m, *head;
+ struct mbuf *m, *next_m, *head;
int tid;
IEEE80211_LOCK(ic);
@@ -803,9 +803,16 @@ ieee80211_ff_node_cleanup(struct ieee80211_node *ni)
}
IEEE80211_UNLOCK(ic);
- for (m = head; m != NULL; m = m->m_nextpkt) {
+ /*
+ * Free mbufs, taking care to not dereference the mbuf after
+ * we free it (hence grabbing m_nextpkt before we free it.)
+ */
+ m = head;
+ while (m != NULL) {
+ next_m = m->m_nextpkt;
m_freem(m);
ieee80211_free_node(ni);
+ m = next_m;
}
}
OpenPOWER on IntegriCloud