diff options
| author | Stefan Sperling <stsp@cvs.openbsd.org> | 2022-01-04 15:53:58 +0000 |
|---|---|---|
| committer | Stefan Sperling <stsp@cvs.openbsd.org> | 2022-01-04 15:53:58 +0000 |
| commit | 13a4e1de96007403997f02b4262e451e2d1cd636 (patch) | |
| tree | e09bae3433c9de43f80b6afd6a4dacbf4857c540 /sys | |
| parent | 15cc5deec672e10389fc9143ae7975126210b835 (diff) | |
fix Rx Block Ack session validity checks in iwm(4) and iwx(4)
I ported a NULL pointer check from iwlwifi rxmq.c which cannot
happen in our version of this code. Instead we need to check
the BA session ID to determine whether a BA session is valid.
Patch by Christian Ehrhardt.
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/dev/pci/if_iwm.c | 5 | ||||
| -rw-r--r-- | sys/dev/pci/if_iwx.c | 7 |
2 files changed, 7 insertions, 5 deletions
diff --git a/sys/dev/pci/if_iwm.c b/sys/dev/pci/if_iwm.c index ab482a8a7da..6bd432fba47 100644 --- a/sys/dev/pci/if_iwm.c +++ b/sys/dev/pci/if_iwm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_iwm.c,v 1.385 2021/12/20 15:08:10 stsp Exp $ */ +/* $OpenBSD: if_iwm.c,v 1.386 2022/01/04 15:53:57 stsp Exp $ */ /* * Copyright (c) 2014, 2016 genua gmbh <info@genua.de> @@ -5115,7 +5115,8 @@ iwm_rx_reorder(struct iwm_softc *sc, struct mbuf *m, int chanidx, return 0; rxba = &sc->sc_rxba_data[baid]; - if (rxba == NULL || tid != rxba->tid || rxba->sta_id != IWM_STATION_ID) + if (rxba->baid == IWM_RX_REORDER_DATA_INVALID_BAID || + tid != rxba->tid || rxba->sta_id != IWM_STATION_ID) return 0; if (rxba->timeout != 0) diff --git a/sys/dev/pci/if_iwx.c b/sys/dev/pci/if_iwx.c index 197efe2a823..98e1e7da6a1 100644 --- a/sys/dev/pci/if_iwx.c +++ b/sys/dev/pci/if_iwx.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_iwx.c,v 1.128 2021/12/03 14:32:08 stsp Exp $ */ +/* $OpenBSD: if_iwx.c,v 1.129 2022/01/04 15:53:57 stsp Exp $ */ /* * Copyright (c) 2014, 2016 genua gmbh <info@genua.de> @@ -2931,7 +2931,7 @@ iwx_rx_bar_frame_release(struct iwx_softc *sc, struct iwx_rx_packet *pkt, return; rxba = &sc->sc_rxba_data[baid]; - if (rxba == NULL || rxba->baid == IWX_RX_REORDER_DATA_INVALID_BAID) + if (rxba->baid == IWX_RX_REORDER_DATA_INVALID_BAID) return; tid = le32toh(release->sta_tid) & IWX_BAR_FRAME_RELEASE_TID_MASK; @@ -4251,7 +4251,8 @@ iwx_rx_reorder(struct iwx_softc *sc, struct mbuf *m, int chanidx, return 0; rxba = &sc->sc_rxba_data[baid]; - if (rxba == NULL || tid != rxba->tid || rxba->sta_id != IWX_STATION_ID) + if (rxba->baid == IWX_RX_REORDER_DATA_INVALID_BAID || + tid != rxba->tid || rxba->sta_id != IWX_STATION_ID) return 0; if (rxba->timeout != 0) |