linux/net
Bob Copeland 5ee58d7e6a mac80211: fix minstrel single-rate memory corruption
The minstrel rate controller periodically looks up rate indexes in
a sampling table.  When accessing a specific row and column, minstrel
correctly does a bounds check which, on the surface, appears to handle
the case where mi->n_rates < 2.  However, mi->sample_idx is actually
defined as an unsigned, so the right hand side is taken to be a huge
positive number when negative, and the check will always fail.

Consequently, the RC will overrun the array and cause random memory
corruption when communicating with a peer that has only a single rate.
The max value of mi->sample_idx is around 25 so casting to int should
have no ill effects.

Without the change, uptime is a few minutes under load with an AP
that has a single hard-coded rate, and both the AP and STA could
potentially crash.  With the change, both lasted 12 hours with a
steady load.

Thanks to Ognjen Maric for providing the single-rate clue so I could
reproduce this.

This fixes http://bugzilla.kernel.org/show_bug.cgi?id=12490 on the
regression list (also http://bugzilla.kernel.org/show_bug.cgi?id=13000).

Cc: stable@kernel.org
Reported-by: Sergey S. Kostyliov <rathamahata@gmail.com>
Reported-by: Ognjen Maric <ognjen.maric@gmail.com>
Signed-off-by: Bob Copeland <me@bobcopeland.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-06-10 13:27:51 -04:00
..
9p net/9p: handle correctly interrupted 9P requests 2009-04-05 16:54:53 -05:00
802 net: remove COMPAT_NET_DEV_OPS 2009-05-25 01:53:53 -07:00
8021q net: convert unicast addr list 2009-05-29 22:12:32 -07:00
appletalk appletalk: Use frag list abstraction interfaces. 2009-06-09 00:17:44 -07:00
atm net: skb->dst accessors 2009-06-03 02:51:04 -07:00
ax25 ax25: proc uid file misses header 2009-04-20 02:14:59 -07:00
bluetooth isdn: rename capi_ctr_reseted() to capi_ctr_down() 2009-06-08 00:45:50 -07:00
bridge net: skb->dst accessors 2009-06-03 02:51:04 -07:00
can can: Network Drop Monitor: Make use of consume_skb() in af_can.c 2009-04-17 01:38:46 -07:00
core Add constants for the ieee 802.15.4 stack 2009-06-09 05:25:30 -07:00
dcb DCB: fix kfree(skb) 2009-01-04 17:29:21 -08:00
dccp net: skb->dst accessors 2009-06-03 02:51:04 -07:00
decnet net: skb->dst accessors 2009-06-03 02:51:04 -07:00
dsa net: convert unicast addr list 2009-05-29 22:12:32 -07:00
econet econet: Use SKB queue and list helpers instead of doing it by-hand. 2009-05-28 16:46:29 -07:00
ethernet net: remove COMPAT_NET_DEV_OPS 2009-05-25 01:53:53 -07:00
ieee802154 net: add NL802154 interface for configuration of 802.15.4 devices 2009-06-09 05:25:33 -07:00
ipv4 netfilter: Use frag list abstraction interfaces. 2009-06-09 00:23:58 -07:00
ipv6 netfilter: Use frag list abstraction interfaces. 2009-06-09 00:23:58 -07:00
ipx ipx: use constant for strings and desciptor 2009-03-21 19:06:51 -07:00
irda irda: Use SKB queue and list helpers instead of doing it by-hand. 2009-05-28 23:26:33 -07:00
iucv af_iucv: Fix merge. 2009-04-23 06:37:16 -07:00
key af_key: remove some pointless conditionals before kfree_skb() 2009-02-26 23:07:32 -08:00
lapb
llc llc: Kill outdated and incorrect comment. 2009-05-28 23:31:56 -07:00
mac80211 mac80211: fix minstrel single-rate memory corruption 2009-06-10 13:27:51 -04:00
netfilter net: skb->dst accessors 2009-06-03 02:51:04 -07:00
netlabel netlabel: Use genl_register_family_with_ops() 2009-05-21 16:50:24 -07:00
netlink genetlink: Introduce genl_register_family_with_ops() 2009-05-21 16:50:22 -07:00
netrom net/netrom: Fix socket locking 2009-04-22 00:49:51 -07:00
packet net: skb->dst accessors 2009-06-03 02:51:04 -07:00
phonet phonet: Use frag list abstraction interfaces. 2009-06-09 00:24:06 -07:00
rds Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2009-05-18 21:08:20 -07:00
rfkill rfkill: always init poll delayed work 2009-06-03 14:06:15 -04:00
rose Revert "rose: zero length frame filtering in af_rose.c" 2009-04-14 20:28:00 -07:00
rxrpc RxRPC: Error handling for rxrpc_alloc_connection() 2009-05-21 15:22:02 -07:00
sched pkt_sched: Use PSCHED_SHIFT in PSCHED time conversion 2009-06-09 05:25:29 -07:00
sctp sctp: Use frag list abstraction interfaces. 2009-06-09 00:24:07 -07:00
sunrpc net: skb->dst accessors 2009-06-03 02:51:04 -07:00
tipc tipc: Use genl_register_family_with_ops() 2009-05-21 16:50:23 -07:00
unix New helper - current_umask() 2009-03-31 23:00:26 -04:00
wanrouter wanrouter: fix sparse warnings: context imbalance 2009-02-26 23:13:36 -08:00
wimax wimax: depend on rfkill properly 2009-06-04 10:58:15 -04:00
wireless cfg80211: make ieee80211_get_mesh_hdrlen() static 2009-06-03 14:06:15 -04:00
x25 af_rose/x25: Sanity check the maximum user frame size 2009-03-27 00:28:21 -07:00
xfrm xfrm: Use frag list abstraction interfaces. 2009-06-09 00:24:07 -07:00
compat.c net: socket infrastructure for SO_TIMESTAMPING 2009-02-15 22:43:35 -08:00
Kconfig net: add IEEE 802.15.4 socket family implementation 2009-06-09 05:25:32 -07:00
Makefile net: add IEEE 802.15.4 socket family implementation 2009-06-09 05:25:32 -07:00
nonet.c
socket.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2009-04-06 18:05:43 -07:00
sysctl_net.c net: sysctl_net - use net_eq to compare nets 2009-03-16 16:23:30 +01:00
TUNABLE