summaryrefslogtreecommitdiffstats
path: root/net/ipv6/xfrm6_mode_tunnel.c
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2010-07-27 00:52:03 +0200
committerJohn W. Linville <linville@tuxdriver.com>2010-07-27 20:59:58 +0200
commit32162a4dab0e6a4ca7f886a01173b5f9b80843be (patch)
treea8337e9b9788b787c13241ec9a9642527d5aad6a /net/ipv6/xfrm6_mode_tunnel.c
parentp54: Added get_survey callback in order to get channel noise (diff)
downloadlinux-32162a4dab0e6a4ca7f886a01173b5f9b80843be.tar.xz
linux-32162a4dab0e6a4ca7f886a01173b5f9b80843be.zip
mac80211: Fix key freeing to handle unlinked keys
Key locking simplification removed key->sdata != NULL verification from ieee80211_key_free(). While that is fine for most use cases, there is one path where this function can be called with an unlinked key (i.e., key->sdata == NULL && key->local == NULL). This results in a NULL pointer dereference with the current implementation. This is known to happen at least with FT protocol when wpa_supplicant tries to configure the key before association. Avoid the issue by passing in the local pointer to ieee80211_key_free(). In addition, do not clear the key from hw_accel or debugfs if it has not yet been added. At least the hw_accel one could trigger another NULL pointer dereference. Signed-off-by: Jouni Malinen <j@w1.fi> Reviewed-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'net/ipv6/xfrm6_mode_tunnel.c')
0 files changed, 0 insertions, 0 deletions