1 WDS related crash is observed. This causes by possible random memory
2 writes/accesss. Note how wds is freed, yet it will be used further in
5 Other usages in the tree of LIST_FOREACH() when element is found and
6 acted up on element, loop is immediately break (either via break, or
7 return). But not in this case ...
9 Signed-off-by: Mindaugas Kriaučiūnas <mindaugas.kriauciunas@gmail.com>
10 Signed-off-by: Žilvinas Valinskas <valins@soften.ktu.lt>
12 Index: madwifi-ng-trunk/net80211/ieee80211_node.c
13 ===================================================================
14 --- madwifi-ng-trunk.orig/net80211/ieee80211_node.c 2006-09-25 13:28:08.000000000 +0300
15 +++ madwifi-ng-trunk/net80211/ieee80211_node.c 2006-10-18 15:59:40.000000000 +0300
17 ieee80211_del_wds_node(struct ieee80211_node_table *nt, struct ieee80211_node *ni)
20 - struct ieee80211_wds_addr *wds;
21 + struct ieee80211_wds_addr *wds, *next;
23 IEEE80211_NODE_LOCK_IRQ(nt);
24 for (hash = 0; hash < IEEE80211_NODE_HASHSIZE; hash++) {
25 - LIST_FOREACH(wds, &nt->nt_wds_hash[hash], wds_hash) {
26 + LIST_FOREACH_SAFE(wds, &nt->nt_wds_hash[hash], wds_hash, next) {
27 if (wds->wds_ni == ni) {
28 if (ieee80211_node_dectestref(ni)) {
29 _ieee80211_free_node(ni);
32 struct ieee80211_node_table *nt = (struct ieee80211_node_table *)data;
34 - struct ieee80211_wds_addr *wds;
35 + struct ieee80211_wds_addr *wds, *next;
37 IEEE80211_NODE_LOCK_IRQ(nt);
38 for (hash = 0; hash < IEEE80211_NODE_HASHSIZE; hash++) {
39 - LIST_FOREACH(wds, &nt->nt_wds_hash[hash], wds_hash) {
40 + LIST_FOREACH_SAFE(wds, &nt->nt_wds_hash[hash], wds_hash, next) {
41 if (wds->wds_agingcount != WDS_AGING_STATIC) {
42 if (!wds->wds_agingcount) {
43 if (ieee80211_node_dectestref(wds->wds_ni)) {
projects / openwrt.git / blob