summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohannes Berg <johannes.berg@intel.com>2015-03-01 10:10:12 +0300
committerJohannes Berg <johannes.berg@intel.com>2015-03-04 12:34:11 +0300
commit88724a81b4ac2a755bf9c532cdbee08a52803852 (patch)
tree7c73b370322b85288b70dd3a8313bd10f27b8657
parent0b4e11074a933937ee75be371d32bf91a0051419 (diff)
downloadlinux-88724a81b4ac2a755bf9c532cdbee08a52803852.tar.xz
mac80211: check and dequeue skb in ieee80211_tx_prepare_skb()
The ieee80211_tx_prepare_skb() function currently entirely ignores the fact that the SKB that is passed in might be split into more than one due to fragmentation and doesn't check the list of skbs that the TX handlers may create. In case this happens, it would leak them. Fix this and also don't leave the skb next/prev pointers dangling pointing to the on-stack sk_buff_head. Reported-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-rw-r--r--net/mac80211/tx.c9
1 files changed, 9 insertions, 0 deletions
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index a23a84e93e80..7e7de811e6ad 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1420,6 +1420,7 @@ bool ieee80211_tx_prepare_skb(struct ieee80211_hw *hw,
struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
struct ieee80211_tx_data tx;
+ struct sk_buff *skb2;
if (ieee80211_tx_prepare(sdata, &tx, skb) == TX_DROP)
return false;
@@ -1438,6 +1439,14 @@ bool ieee80211_tx_prepare_skb(struct ieee80211_hw *hw,
*sta = NULL;
}
+ /* this function isn't suitable for fragmented data frames */
+ skb2 = __skb_dequeue(&tx.skbs);
+ if (WARN_ON(skb2 != skb || !skb_queue_empty(&tx.skbs))) {
+ ieee80211_free_txskb(hw, skb2);
+ ieee80211_purge_tx_queue(hw, &tx.skbs);
+ return false;
+ }
+
return true;
}
EXPORT_SYMBOL(ieee80211_tx_prepare_skb);