summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorJohannes Berg <johannes.berg@intel.com>2017-06-10 12:52:43 +0200
committerJohannes Berg <johannes.berg@intel.com>2017-06-13 10:24:33 +0200
commitc87905bec5dad66aa6bb43d11502cafdb33e07db (patch)
tree1b3c0ab10eeae62cc057c93b3f6189a90555eeb3 /security
parentmac80211: remove 5/10 MHz rate code from station MLME (diff)
downloadlinux-c87905bec5dad66aa6bb43d11502cafdb33e07db.tar.xz
linux-c87905bec5dad66aa6bb43d11502cafdb33e07db.zip
mac80211: set bss_info data before configuring the channel
When mac80211 changes the channel, it also calls into the driver's bss_info_changed() callback, e.g. with BSS_CHANGED_IDLE. The driver may, like iwlwifi does, access more data from bss_info in that case and iwlwifi accesses the basic_rates bitmap, but if changing from a band with more (basic) rates to one with fewer, an out-of-bounds access of the rate array may result. While we can't avoid having invalid data at some point in time, we can avoid having it while we call the driver - so set up all the data before configuring the channel, and then apply it afterwards. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=195677 Reported-by: Johannes Hirte <johannes.hirte@datenkhaos.de> Tested-by: Johannes Hirte <johannes.hirte@datenkhaos.de> Debugged-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'security')
0 files changed, 0 insertions, 0 deletions