From 32162a4dab0e6a4ca7f886a01173b5f9b80843be Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Mon, 26 Jul 2010 15:52:03 -0700 Subject: mac80211: Fix key freeing to handle unlinked keys Key locking simplification removed key->sdata != NULL verification from ieee80211_key_free(). While that is fine for most use cases, there is one path where this function can be called with an unlinked key (i.e., key->sdata == NULL && key->local == NULL). This results in a NULL pointer dereference with the current implementation. This is known to happen at least with FT protocol when wpa_supplicant tries to configure the key before association. Avoid the issue by passing in the local pointer to ieee80211_key_free(). In addition, do not clear the key from hw_accel or debugfs if it has not yet been added. At least the hw_accel one could trigger another NULL pointer dereference. Signed-off-by: Jouni Malinen Reviewed-by: Johannes Berg Signed-off-by: John W. Linville --- net/mac80211/sta_info.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'net/mac80211/sta_info.c') diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c index 67656cb..6d86f0c 100644 --- a/net/mac80211/sta_info.c +++ b/net/mac80211/sta_info.c @@ -647,7 +647,7 @@ static int __must_check __sta_info_destroy(struct sta_info *sta) return ret; if (sta->key) { - ieee80211_key_free(sta->key); + ieee80211_key_free(local, sta->key); WARN_ON(sta->key); } -- cgit v1.1