summaryrefslogtreecommitdiff
path: root/net/mac80211
diff options
context:
space:
mode:
authorBob Copeland <me@bobcopeland.com>2016-03-19 05:11:28 +0300
committerJohannes Berg <johannes.berg@intel.com>2016-04-05 22:34:50 +0300
commit0aa7fabbd5d9da1f8a8fdc3e2837c532bcfa5664 (patch)
treebb69412b2a94fe667a655be8ef40f974cb5fab9a /net/mac80211
parent749329594b5e0fb612b2de642a692323ddf661dd (diff)
downloadlinux-0aa7fabbd5d9da1f8a8fdc3e2837c532bcfa5664.tar.xz
mac80211: mesh: handle failed alloc for rmc cache
In the unlikely case that mesh_rmc_init() fails with -ENOMEM, the rmc pointer will be left as NULL but the interface is still operational because ieee80211_mesh_init_sdata() is not allowed to fail. If this happens, we would blindly dereference rmc when checking whether a multicast frame is in the cache. Instead just drop the frames in the forwarding path. Signed-off-by: Bob Copeland <me@bobcopeland.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'net/mac80211')
-rw-r--r--net/mac80211/mesh.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
index a216c439b6f2..d0d8eeaa8129 100644
--- a/net/mac80211/mesh.c
+++ b/net/mac80211/mesh.c
@@ -220,6 +220,9 @@ int mesh_rmc_check(struct ieee80211_sub_if_data *sdata,
u8 idx;
struct rmc_entry *p, *n;
+ if (!rmc)
+ return -1;
+
/* Don't care about endianness since only match matters */
memcpy(&seqnum, &mesh_hdr->seqnum, sizeof(mesh_hdr->seqnum));
idx = le32_to_cpu(mesh_hdr->seqnum) & rmc->idx_mask;