diff options
author | bschmidt <bschmidt@FreeBSD.org> | 2011-03-13 12:56:46 +0000 |
---|---|---|
committer | bschmidt <bschmidt@FreeBSD.org> | 2011-03-13 12:56:46 +0000 |
commit | 2671ddd1130068db9891f66a1b48e6440675936d (patch) | |
tree | 21b14ca6a39093bed21199c0bda978fef393f4bb /sys/net80211 | |
parent | e31826f679cd5be5a21f3cd3c7a59a3b191be5fe (diff) | |
download | FreeBSD-src-2671ddd1130068db9891f66a1b48e6440675936d.zip FreeBSD-src-2671ddd1130068db9891f66a1b48e6440675936d.tar.gz |
When injecting frames a temporary node is faked, during this several
uses of ic_curchan occur. Due to the nature of a scan, switching
channels constantly and all this happening without any kind of locks
held, it might happen that ic_curchan points to nowhere leading to
panics. Fix this by not allowing frame injections while in SCAN state.
Tested by: Paul B. Mahol <onemda at gmail.com>
Diffstat (limited to 'sys/net80211')
-rw-r--r-- | sys/net80211/ieee80211_output.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/sys/net80211/ieee80211_output.c b/sys/net80211/ieee80211_output.c index f18d0c4..c564dd8 100644 --- a/sys/net80211/ieee80211_output.c +++ b/sys/net80211/ieee80211_output.c @@ -419,7 +419,8 @@ ieee80211_output(struct ifnet *ifp, struct mbuf *m, "block %s frame in CAC state\n", "raw data"); vap->iv_stats.is_tx_badstate++; senderr(EIO); /* XXX */ - } + } else if (vap->iv_state == IEEE80211_S_SCAN) + senderr(EIO); /* XXX bypass bridge, pfil, carp, etc. */ if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_ack)) |