Bug in AP's station list traversal causing kernel panics

From: Jouni Malinen (jkmaline_at_cc.hut.fi)
Date: 2001-12-21 09:20:52 UTC

• Next message: Kimio Okamoto: "Hello"
• Previous message: mallum: "Re: ISA Adaptor and DLINK 650"
• Next in thread: Jerritt Collord: "versions, patch, mojo"
• Reply: Jerritt Collord: "versions, patch, mojo"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

There is a bug in Host AP driver's station list traversal that can cause kernel panics. Previous "fixes" to some random crashes was not obviously correct, although it removed some cases. The real problem is in ap_handle_timer()'s sta_list traversal. It is not safe for removed list items. When a station is removed, for loop gets next pointer from freed memory which may have changed..

I'm probably not going to test this change or release a new version before January, but I've attached a hopefully correct fix for these problems. The attached patch makes it safe to remove entries during list traversal in ap_handle_timer(). In addition, it fixes another bug in ap_free_sta() where ap->num_sta was not decremented (driver could end up in state where it assumes that there are too many associated stations even though there might not be any).

-- 
Jouni Malinen                                            PGP id EFC895FA



text/plain attachment: sta_list.patch

• Next message: Kimio Okamoto: "Hello"
• Previous message: mallum: "Re: ISA Adaptor and DLINK 650"
• Next in thread: Jerritt Collord: "versions, patch, mojo"
• Reply: Jerritt Collord: "versions, patch, mojo"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]