diff options
| author | Mark Kettenis <kettenis@cvs.openbsd.org> | 2010-09-29 20:00:52 +0000 |
|---|---|---|
| committer | Mark Kettenis <kettenis@cvs.openbsd.org> | 2010-09-29 20:00:52 +0000 |
| commit | 8b72fccf4746f20530d5b23ddca2640e6b354f35 (patch) | |
| tree | 17e5692d5b8820fa8f7529a013f4fb1f31e8fc50 /sys/net80211 | |
| parent | e3edbbc1448c77df5bd1a3cb6086b2784290ba79 (diff) | |
In the implementation of the SIOCS80211DELNODE ioctl, call
ieee80211_node_leave() instead of ieee80211_release_node() which screws
up reference counting and leads to use after free problems elsewhere in the
code. Since ieee80211_node_leave() is only available if hostap support is
compiled in, don't privide the SIOCS80211DELNODE ioctl if we're compiling
without hostap support (e.g. on ramdisks).
ok deraadt@, damien@
Diffstat (limited to 'sys/net80211')
| -rw-r--r-- | sys/net80211/ieee80211_ioctl.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/sys/net80211/ieee80211_ioctl.c b/sys/net80211/ieee80211_ioctl.c index e6bd1f9dad4..01ebda02015 100644 --- a/sys/net80211/ieee80211_ioctl.c +++ b/sys/net80211/ieee80211_ioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ieee80211_ioctl.c,v 1.33 2009/09/12 19:37:27 miod Exp $ */ +/* $OpenBSD: ieee80211_ioctl.c,v 1.34 2010/09/29 20:00:51 kettenis Exp $ */ /* $NetBSD: ieee80211_ioctl.c,v 1.15 2004/05/06 02:58:16 dyoung Exp $ */ /*- @@ -676,6 +676,7 @@ ieee80211_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data) if (nr->nr_flags & IEEE80211_NODEREQ_COPY) ieee80211_req2node(ic, nr, ni); break; +#ifndef IEEE80211_STA_ONLY case SIOCS80211DELNODE: if ((error = suser(curproc, 0)) != 0) break; @@ -701,9 +702,10 @@ ieee80211_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data) IEEE80211_FC0_SUBTYPE_DEAUTH, IEEE80211_REASON_AUTH_LEAVE); - ieee80211_release_node(ic, ni); + ieee80211_node_leave(ic, ni); } break; +#endif case SIOCG80211ALLNODES: na = (struct ieee80211_nodereq_all *)data; na->na_nodes = i = 0; |