Fix a VAP BSS node reference in the HT code to actually take a reference

before using said node.

The "blessed" way here is to take a node reference before referencing
anything inside the node, otherwise the node can be freed between
the time the pointer is copied/dereferenced and the time the node contents
are used.

This mirrors fixes that I've done elsewhere in the net80211/driver
stack.

PR:		kern/178470

1 files changed, 7 insertions, 1 deletions

diff --git a/sys/net80211/ieee80211_ht.c b/sys/net80211/ieee80211_ht.c
index e09cd22..7f41b27 100644
--- a/sys/net80211/ieee80211_ht.c
+++ b/sys/net80211/ieee80211_ht.c
@@ -2773,11 +2773,15 @@ ieee80211_ht_update_beacon(struct ieee80211vap *vap,
 	struct ieee80211_beacon_offsets *bo)
 {
 #define	PROTMODE	(IEEE80211_HTINFO_OPMODE|IEEE80211_HTINFO_NONHT_PRESENT)
-	const struct ieee80211_channel *bsschan = vap->iv_bss->ni_chan;
+	struct ieee80211_node *ni;
+	const struct ieee80211_channel *bsschan;
 	struct ieee80211com *ic = vap->iv_ic;
 	struct ieee80211_ie_htinfo *ht =
 	   (struct ieee80211_ie_htinfo *) bo->bo_htinfo;
 
+	ni = ieee80211_ref_node(vap->iv_bss);
+	bsschan = ni->ni_chan;
+
 	/* XXX only update on channel change */
 	ht->hi_ctrlchannel = ieee80211_chan2ieee(ic, bsschan);
 	if (vap->iv_flags_ht & IEEE80211_FHT_RIFS)
@@ -2796,6 +2800,8 @@ ieee80211_ht_update_beacon(struct ieee80211vap *vap,
 	/* protection mode */
 	ht->hi_byte2 = (ht->hi_byte2 &~ PROTMODE) | ic->ic_curhtprotmode;
 
+	ieee80211_free_node(ni);
+
 	/* XXX propagate to vendor ie's */
 #undef PROTMODE
 }