Commit 4253119a authored by Johannes Berg's avatar Johannes Berg Committed by John W. Linville
Browse files

mac80211: fix two remote exploits

Lennert Buytenhek noticed a remotely triggerable problem
in mac80211, which is due to some code shuffling I did
that ended up changing the order in which things were
done -- this was in

  commit d75636ef

  Author: Johannes Berg <>
  Date:   Tue Feb 10 21:25:53 2009 +0100

    mac80211: RX aggregation: clean up stop session

The problem is that the BUG_ON moved before the various
checks, and as such can be triggered.

As the comment indicates, the BUG_ON can be removed since
the ampdu_action callback must already exist when the

A similar code path leads to a WARN_ON in
ieee80211_stop_tx_ba_session, which can also be removed.

Cc: [2.6.29+]
Cc: Lennert Buytenhek <>
Signed-off-by: Johannes Berg's avatarJohannes Berg <>
Signed-off-by: default avatarJohn W. Linville <>
parent 3e984840
...@@ -85,10 +85,6 @@ void ieee80211_sta_stop_rx_ba_session(struct ieee80211_sub_if_data *sdata, u8 *r ...@@ -85,10 +85,6 @@ void ieee80211_sta_stop_rx_ba_session(struct ieee80211_sub_if_data *sdata, u8 *r
struct ieee80211_local *local = sdata->local; struct ieee80211_local *local = sdata->local;
struct sta_info *sta; struct sta_info *sta;
/* stop HW Rx aggregation. ampdu_action existence
* already verified in session init so we add the BUG_ON */
rcu_read_lock(); rcu_read_lock();
sta = sta_info_get(local, ra); sta = sta_info_get(local, ra);
...@@ -545,7 +545,7 @@ int ieee80211_stop_tx_ba_session(struct ieee80211_hw *hw, ...@@ -545,7 +545,7 @@ int ieee80211_stop_tx_ba_session(struct ieee80211_hw *hw,
struct sta_info *sta; struct sta_info *sta;
int ret = 0; int ret = 0;
if (WARN_ON(!local->ops->ampdu_action)) if (!local->ops->ampdu_action)
return -EINVAL; return -EINVAL;
if (tid >= STA_TID_NUM) if (tid >= STA_TID_NUM)
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment