Fix a VAP BSS node reference in the HT code to actually take a reference

before using said node. The "blessed" way here is to take a node reference before referencing anything inside the node, otherwise the node can be freed between the time the pointer is copied/dereferenced and the time the node contents are used. This mirrors fixes that I've done elsewhere in the net80211/driver stack. PR: kern/178470
svn path=/head/; revision=250442
2024-09-21 01:03:42 +00:00 · 2013-05-10 09:37:58 +00:00 · 2013-05-10 09:37:58 +00:00 · 5b58efc6cc · 2020-12-20 02:59:44 +00:00
parent ede69cff5b
commit 5b58efc6cc
1 changed files with 7 additions and 1 deletions
--- a/sys/net80211/ieee80211_ht.c
+++ b/sys/net80211/ieee80211_ht.c
@ -2773,11 +2773,15 @@ ieee80211_ht_update_beacon(struct ieee80211vap *vap,
 	struct ieee80211_beacon_offsets *bo)
 {
 #define	PROTMODE	(IEEE80211_HTINFO_OPMODE|IEEE80211_HTINFO_NONHT_PRESENT)
-	const struct ieee80211_channel *bsschan = vap->iv_bss->ni_chan;
+	struct ieee80211_node *ni;
+	const struct ieee80211_channel *bsschan;
 	struct ieee80211com *ic = vap->iv_ic;
 	struct ieee80211_ie_htinfo *ht =
 	   (struct ieee80211_ie_htinfo *) bo->bo_htinfo;

+	ni = ieee80211_ref_node(vap->iv_bss);
+	bsschan = ni->ni_chan;
+
 	/* XXX only update on channel change */
 	ht->hi_ctrlchannel = ieee80211_chan2ieee(ic, bsschan);
 	if (vap->iv_flags_ht & IEEE80211_FHT_RIFS)
@ -2796,6 +2800,8 @@ ieee80211_ht_update_beacon(struct ieee80211vap *vap,
 	/* protection mode */
 	ht->hi_byte2 = (ht->hi_byte2 &~ PROTMODE) | ic->ic_curhtprotmode;

+	ieee80211_free_node(ni);
+
 	/* XXX propagate to vendor ie's */
 #undef PROTMODE
 }