[src/trunk]: src/sys/net80211 Fix use-after-free, m_cat can free m.

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/sys/net80211 Fix use-after-free, m_cat can free m.
From: maxv <maxv%NetBSD.org@localhost>
Date: Thu, 21 Jun 2018 19:17:07 +0000

details:   https://anonhg.NetBSD.org/src/rev/baf16033e515
branches:  trunk
changeset: 320063:baf16033e515
user:      maxv <maxv%NetBSD.org@localhost>
date:      Thu Jun 21 16:53:10 2018 +0000

description:
Fix use-after-free, m_cat can free m.

diffstat:

 sys/net80211/ieee80211_input.c |  16 ++++++++++------
 1 files changed, 10 insertions(+), 6 deletions(-)

diffs (58 lines):

diff -r b170e24b221f -r baf16033e515 sys/net80211/ieee80211_input.c
--- a/sys/net80211/ieee80211_input.c    Thu Jun 21 16:47:06 2018 +0000
+++ b/sys/net80211/ieee80211_input.c    Thu Jun 21 16:53:10 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ieee80211_input.c,v 1.111 2018/05/08 07:02:07 maxv Exp $       */
+/*     $NetBSD: ieee80211_input.c,v 1.112 2018/06/21 16:53:10 maxv Exp $       */
 
 /*
  * Copyright (c) 2001 Atsushi Onoe
@@ -37,7 +37,7 @@
 __FBSDID("$FreeBSD: src/sys/net80211/ieee80211_input.c,v 1.81 2005/08/10 16:22:29 sam Exp $");
 #endif
 #ifdef __NetBSD__
-__KERNEL_RCSID(0, "$NetBSD: ieee80211_input.c,v 1.111 2018/05/08 07:02:07 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ieee80211_input.c,v 1.112 2018/06/21 16:53:10 maxv Exp $");
 #endif
 
 #ifdef _KERNEL_OPT
@@ -762,14 +762,15 @@
 {
        struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *);
        struct ieee80211_frame *lwh;
-       u_int16_t rxseq;
+       u_int16_t rxseq, iseq;
        u_int8_t fragno;
        const u_int8_t more_frag = wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG;
        struct mbuf *mfrag;
 
        IASSERT(!IEEE80211_IS_MULTICAST(wh->i_addr1), ("multicast fragm?"));
 
-       rxseq = le16toh(*(u_int16_t *)wh->i_seq);
+       iseq = *(u_int16_t *)wh->i_seq;
+       rxseq = le16toh(iseq);
        fragno = rxseq & IEEE80211_SEQ_FRAG_MASK;
 
        /* Quick way out, if there's nothing to defragment */
@@ -827,16 +828,19 @@
                }
                mfrag = m;
        } else {
+               int mlen;
+
                /* Strip header and concatenate */
                m_adj(m, hdrspace);
+               mlen = m->m_pkthdr.len;
                m_cat(mfrag, m);
 
                /* NB: m_cat doesn't update the packet header */
-               mfrag->m_pkthdr.len += m->m_pkthdr.len;
+               mfrag->m_pkthdr.len += mlen;
 
                /* track last seqnum and fragno */
                lwh = mtod(mfrag, struct ieee80211_frame *);
-               *(u_int16_t *)lwh->i_seq = *(u_int16_t *)wh->i_seq;
+               *(u_int16_t *)lwh->i_seq = iseq;
        }
 
        if (more_frag) {

Prev by Date: [src/trunk]: src/sys/dev/pci destroy 'sc_sync_wait' condvar and mutex upon de...
Next by Date: [src/trunk]: src/sys/net80211 remove unused arguments
Previous by Thread: [src/trunk]: src/sys/dev/pci destroy 'sc_sync_wait' condvar and mutex upon de...
Next by Thread: [src/trunk]: src/sys/net80211 remove unused arguments
Indexes:

Home | Main Index | Thread Index | Old Index