When injecting frames a temporary node is faked, during this several

uses of ic_curchan occur. Due to the nature of a scan, switching channels constantly and all this happening without any kind of locks held, it might happen that ic_curchan points to nowhere leading to panics. Fix this by not allowing frame injections while in SCAN state. Tested by: Paul B. Mahol <onemda at gmail.com>
author: bschmidt <bschmidt@FreeBSD.org> 2011-03-13 12:56:46 +0000
committer: bschmidt <bschmidt@FreeBSD.org> 2011-03-13 12:56:46 +0000
commit: 2671ddd1130068db9891f66a1b48e6440675936d (patch)
tree: 21b14ca6a39093bed21199c0bda978fef393f4bb /sys/net80211
parent: e31826f679cd5be5a21f3cd3c7a59a3b191be5fe (diff)
download: FreeBSD-src-2671ddd1130068db9891f66a1b48e6440675936d.zip
FreeBSD-src-2671ddd1130068db9891f66a1b48e6440675936d.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/sys/net80211/ieee80211_output.c b/sys/net80211/ieee80211_output.c
index f18d0c4..c564dd8 100644
--- a/sys/net80211/ieee80211_output.c
+++ b/sys/net80211/ieee80211_output.c
@@ -419,7 +419,8 @@ ieee80211_output(struct ifnet *ifp, struct mbuf *m,
 		    "block %s frame in CAC state\n", "raw data");
 		vap->iv_stats.is_tx_badstate++;
 		senderr(EIO);		/* XXX */
-	}
+	} else if (vap->iv_state == IEEE80211_S_SCAN)
+		senderr(EIO);
 	/* XXX bypass bridge, pfil, carp, etc. */
 
 	if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_ack))
author	bschmidt <bschmidt@FreeBSD.org>	2011-03-13 12:56:46 +0000
committer	bschmidt <bschmidt@FreeBSD.org>	2011-03-13 12:56:46 +0000
commit	2671ddd1130068db9891f66a1b48e6440675936d (patch)
tree	21b14ca6a39093bed21199c0bda978fef393f4bb /sys/net80211
parent	e31826f679cd5be5a21f3cd3c7a59a3b191be5fe (diff)
download	FreeBSD-src-2671ddd1130068db9891f66a1b48e6440675936d.zip FreeBSD-src-2671ddd1130068db9891f66a1b48e6440675936d.tar.gz