nl80211: Use safe list iteration

In certain cases like PBC session overlap it appears to be possible that
an interface is removed due to an event handled on it, this leads to
list corruption. Use safe iteration to prevent this issue.

Reported-by: Nirav Shah <nirav.j2.shah@intel.com>
Reported-by: Neeraj Kumar Garg <neerajkg@broadcom.com>
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
intended-for: hostap-1
This commit is contained in:
Johannes Berg 2012-06-04 20:25:11 +03:00 committed by Jouni Malinen
parent fdfb1c8bcf
commit 24b5bd8b42

View File

@ -2198,7 +2198,7 @@ static int process_global_event(struct nl_msg *msg, void *arg)
struct nl80211_global *global = arg; struct nl80211_global *global = arg;
struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg)); struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg));
struct nlattr *tb[NL80211_ATTR_MAX + 1]; struct nlattr *tb[NL80211_ATTR_MAX + 1];
struct wpa_driver_nl80211_data *drv; struct wpa_driver_nl80211_data *drv, *tmp;
int ifidx = -1; int ifidx = -1;
nla_parse(tb, NL80211_ATTR_MAX, genlmsg_attrdata(gnlh, 0), nla_parse(tb, NL80211_ATTR_MAX, genlmsg_attrdata(gnlh, 0),
@ -2207,8 +2207,8 @@ static int process_global_event(struct nl_msg *msg, void *arg)
if (tb[NL80211_ATTR_IFINDEX]) if (tb[NL80211_ATTR_IFINDEX])
ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]); ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
dl_list_for_each(drv, &global->interfaces, dl_list_for_each_safe(drv, tmp, &global->interfaces,
struct wpa_driver_nl80211_data, list) { struct wpa_driver_nl80211_data, list) {
if (ifidx == -1 || ifidx == drv->ifindex || if (ifidx == -1 || ifidx == drv->ifindex ||
have_ifidx(drv, ifidx)) have_ifidx(drv, ifidx))
do_process_drv_event(drv, gnlh->cmd, tb); do_process_drv_event(drv, gnlh->cmd, tb);