linux/net
Johannes Berg cd87a2d3a3 mac80211: fix use-after-free
commit 8c0c709eea
Author: Johannes Berg <johannes@sipsolutions.net>
Date:   Wed Nov 25 17:46:15 2009 +0100

    mac80211: move cmntr flag out of rx flags

moved the CMTR flag into the skb's status, and
in doing so introduced a use-after-free -- when
the skb has been handed to cooked monitors the
status setting will touch now invalid memory.

Additionally, moving it there has effectively
discarded the optimisation -- since the bit is
only ever set on freed SKBs, and those were a
copy, it could never be checked.

For the current release, fixing this properly
is a bit too involved, so let's just remove the
problematic code and leave userspace with one
copy of each frame for each virtual interface.

Cc: stable@kernel.org [2.6.33+]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-09-24 15:21:55 -04:00
..
9p fs/9p: destroy fid on failed remove 2010-08-02 14:28:36 -05:00
802
8021q vlan_dev: VLAN 0 should be treated as "no vlan tag" (802.1p packet) 2010-07-18 15:38:44 -07:00
appletalk
atm ppp: make channel_ops const 2010-08-04 21:53:17 -07:00
ax25
bluetooth Bluetooth: Fix incorrect setting of remote_tx_win for L2CAP ERTM 2010-08-10 07:59:11 -04:00
bridge Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-08-02 22:22:46 -07:00
caif caif: precedence bug 2010-07-22 14:14:47 -07:00
can can-raw: Fix skb_orphan_try handling 2010-08-03 00:31:48 -07:00
core net: disable preemption before call smp_processor_id() 2010-08-07 20:35:43 -07:00
dcb
dccp net: dccp: fix sign bug 2010-07-18 15:07:14 -07:00
decnet net-next: remove useless union keyword 2010-06-10 23:31:35 -07:00
dsa Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-07-20 18:25:24 -07:00
econet econet: fix locking 2010-06-11 18:37:08 -07:00
ethernet Net: ethernet: pe2.c: fix EXPORT_SYMBOL macro code style issue 2010-07-14 18:27:09 -07:00
ieee802154 ieee802154: Fix possible NULL pointer dereference in wpan_phy_alloc 2010-05-23 23:11:07 -07:00
ipv4 tcp: no md5sig option size check bug 2010-08-07 20:24:28 -07:00
ipv6 Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2010-08-04 15:31:02 -07:00
ipx
irda ppp: make channel_ops const 2010-08-04 21:53:17 -07:00
iucv net: use __packed annotation 2010-06-03 03:21:52 -07:00
key pfkey: add severity to printk 2010-05-17 23:23:13 -07:00
l2tp ppp: make channel_ops const 2010-08-04 21:53:17 -07:00
lapb
llc Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-05-12 00:05:35 -07:00
mac80211 mac80211: fix use-after-free 2010-09-24 15:21:55 -04:00
netfilter Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2010-08-04 15:31:02 -07:00
netlabel net: Remove unnecessary returns from void function()s 2010-05-17 23:23:14 -07:00
netlink genetlink: use genl_register_family_with_ops() 2010-07-26 21:00:10 -07:00
netrom
packet packet_mmap: expose hw packet timestamps to network packet capture utilities 2010-06-02 05:53:56 -07:00
phonet Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-07-20 18:25:24 -07:00
rds net/rds: Add missing mutex_unlock 2010-05-29 00:18:48 -07:00
rfkill
rose net/rose: Use GFP_ATOMIC 2010-08-01 00:32:12 -07:00
rxrpc RxRPC: Fix a potential deadlock between the call resend_timer and state_lock 2010-08-04 21:53:16 -07:00
sched pkt_sched: Fix sch_sfq vs tcf_bind_filter oops 2010-08-07 22:45:41 -07:00
sctp Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2010-08-04 15:31:02 -07:00
sunrpc mm: add context argument to shrinker callback to remaining shrinkers 2010-07-21 15:33:01 +10:00
tipc tipc: Reduce footprint by un-inlining tipc_msg_* routines 2010-05-12 23:02:29 -07:00
unix drop_monitor: convert some kfree_skb call sites to consume_skb 2010-07-20 13:28:05 -07:00
wanrouter net: autoconvert trivial BKL users to private mutex 2010-07-12 20:21:47 -07:00
wimax Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2010-05-20 21:04:44 -07:00
wireless wext: fix potential private ioctl memory content leak 2010-09-20 13:41:40 -04:00
x25 X25: Remove bkl in sockopts 2010-05-17 17:39:28 -07:00
xfrm Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-07-20 18:25:24 -07:00
compat.c From abbffa2aa9bd6f8df16d0d0a102af677510d8b9a Mon Sep 17 00:00:00 2001 2010-06-03 20:03:40 -07:00
Kconfig wireless: Make COMPAT_NETLINK_MESSAGES depend upon WEXT_CORE 2010-07-26 13:13:49 -07:00
Makefile net/Makefile: conditionally descend to wireless and ieee802154 2010-06-29 15:32:43 -07:00
nonet.c
socket.c net: support time stamping in phy devices. 2010-07-18 19:15:26 -07:00
sysctl_net.c net: Remove unnecessary returns from void function()s 2010-05-17 23:23:14 -07:00
TUNABLE