diff options
author | Bob Copeland <me@bobcopeland.com> | 2016-03-19 03:11:28 +0100 |
---|---|---|
committer | Johannes Berg <johannes.berg@intel.com> | 2016-04-05 21:34:50 +0200 |
commit | 0aa7fabbd5d9da1f8a8fdc3e2837c532bcfa5664 (patch) | |
tree | bb69412b2a94fe667a655be8ef40f974cb5fab9a /net/mac80211 | |
parent | mac80211: mesh: fix crash in mesh_path_timer (diff) | |
download | linux-0aa7fabbd5d9da1f8a8fdc3e2837c532bcfa5664.tar.xz linux-0aa7fabbd5d9da1f8a8fdc3e2837c532bcfa5664.zip |
mac80211: mesh: handle failed alloc for rmc cache
In the unlikely case that mesh_rmc_init() fails with -ENOMEM,
the rmc pointer will be left as NULL but the interface is still
operational because ieee80211_mesh_init_sdata() is not allowed
to fail.
If this happens, we would blindly dereference rmc when checking
whether a multicast frame is in the cache. Instead just drop the
frames in the forwarding path.
Signed-off-by: Bob Copeland <me@bobcopeland.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'net/mac80211')
-rw-r--r-- | net/mac80211/mesh.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c index a216c439b6f2..d0d8eeaa8129 100644 --- a/net/mac80211/mesh.c +++ b/net/mac80211/mesh.c @@ -220,6 +220,9 @@ int mesh_rmc_check(struct ieee80211_sub_if_data *sdata, u8 idx; struct rmc_entry *p, *n; + if (!rmc) + return -1; + /* Don't care about endianness since only match matters */ memcpy(&seqnum, &mesh_hdr->seqnum, sizeof(mesh_hdr->seqnum)); idx = le32_to_cpu(mesh_hdr->seqnum) & rmc->idx_mask; |