mac80211: fix two remote exploits
authorJohannes Berg <johannes@sipsolutions.net>
Fri, 20 Nov 2009 08:15:51 +0000 (09:15 +0100)
committerGreg Kroah-Hartman <gregkh@suse.de>
Tue, 8 Dec 2009 18:21:42 +0000 (10:21 -0800)
commita9f5433f6f88aaad161d23a595a86b3d1ae739fb
tree69168468162c74b6eb3f19ada2972f2f64ba1393
parent57ee10d0308f0ae7699fef496a5f9924a82b9903
mac80211: fix two remote exploits

commit 4253119acf412fd686ef4bd8749b5a4d70ea3a51 upstream.

Lennert Buytenhek noticed a remotely triggerable problem
in mac80211, which is due to some code shuffling I did
that ended up changing the order in which things were
done -- this was in

  commit d75636ef9c1af224f1097941879d5a8db7cd04e5
  Author: Johannes Berg <johannes@sipsolutions.net>
  Date:   Tue Feb 10 21:25:53 2009 +0100

    mac80211: RX aggregation: clean up stop session

The problem is that the BUG_ON moved before the various
checks, and as such can be triggered.

As the comment indicates, the BUG_ON can be removed since
the ampdu_action callback must already exist when the
state is OPERATIONAL.

A similar code path leads to a WARN_ON in
ieee80211_stop_tx_ba_session, which can also be removed.

Cc: Lennert Buytenhek <buytenh@marvell.com>
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
net/mac80211/agg-rx.c
net/mac80211/agg-tx.c