[Bug 269374] receiving an 802.11 mesh action frame while in adhoc mode can NULL deref in mesh_verify_meshid()

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 269374] receiving an 802.11 mesh action frame while in adhoc mode can NULL deref in mesh_verify_meshid()"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 06 Feb 2023 16:07:03 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=269374

            Bug ID: 269374
           Summary: receiving an 802.11 mesh action frame while in adhoc
                    mode can NULL deref in mesh_verify_meshid()
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: wireless
          Assignee: wireless@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
 Attachment #239951 text/plain
         mime type:

Created attachment 239951
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=239951&action=edit
send an 802.11 mesh action frame to a node in adhoc mode -> NULL deref in
mesh_verify_meshid()

I've attached a demo that sends a mesh action frame to an interface
that's in adhoc mode. vap->iv_mesh is NULL here:

mesh_verify_meshid(struct ieee80211vap *vap, const uint8_t *ie)
{
        struct ieee80211_mesh_state *ms = vap->iv_mesh;
        if (ie == NULL || ie[1] != ms->ms_idlen)


# cc wtap9a.c
# ./a.out
wlan0: received action from 00:98:9a:98:96:98 rssi 128
wlan0: adhoc_recv_mgmt: recv mgmt frame, addr2=00:98:9a:98:96:98,
ni=0xffffffc073568000 (00:98:9a:98:96:98) fc=d0 00                              
panic: Fatal page fault at 0xffffffc000430b66: 0000000000000000
panic() at panic+0x2a
page_fault_handler() at page_fault_handler+0x1d6
do_trap_supervisor() at do_trap_supervisor+0x74
cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70
--- exception 13, tval = 0
mesh_verify_meshid() at mesh_verify_meshid+0x1a
mesh_parse_meshpeering_action() at mesh_parse_meshpeering_action+0x198
mesh_recv_action_meshpeering_confirm() at
mesh_recv_action_meshpeering_confirm+0x26                                       
ieee80211_recv_action() at ieee80211_recv_action+0x13c
adhoc_recv_mgmt() at adhoc_recv_mgmt+0x1d2
wtap_recv_mgmt() at wtap_recv_mgmt+0x28
adhoc_input() at adhoc_input+0x990
.LBB2_17() at .LBB2_17+0x34
taskqueue_run_locked() at taskqueue_run_locked+0x96
taskqueue_thread_loop() at taskqueue_thread_loop+0x62
fork_exit() at fork_exit+0x80
fork_trampoline() at fork_trampoline+0xa

-- 
You are receiving this mail because:
You are the assignee for the bug.