| Message ID | 1458353492-8654-2-git-send-email-me@bobcopeland.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Johannes Berg |
| Headers | show |
diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c index a216c439b6f2..d0d8eeaa8129 100644 --- a/net/mac80211/mesh.c +++ b/net/mac80211/mesh.c @@ -220,6 +220,9 @@ int mesh_rmc_check(struct ieee80211_sub_if_data *sdata, u8 idx; struct rmc_entry *p, *n; + if (!rmc) + return -1; + /* Don't care about endianness since only match matters */ memcpy(&seqnum, &mesh_hdr->seqnum, sizeof(mesh_hdr->seqnum)); idx = le32_to_cpu(mesh_hdr->seqnum) & rmc->idx_mask;
In the unlikely case that mesh_rmc_init() fails with -ENOMEM, the rmc pointer will be left as NULL but the interface is still operational because ieee80211_mesh_init_sdata() is not allowed to fail. If this happens, we would blindly dereference rmc when checking whether a multicast frame is in the cache. Instead just drop the frames in the forwarding path. Signed-off-by: Bob Copeland <me@bobcopeland.com> --- net/mac80211/mesh.c | 3 +++ 1 file changed, 3 insertions(+)