https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=288630
Bug ID: 288630
Summary: missing ieee80211_ref_node(ni) in if_mtw.c
mtw_newassoc() -> use-after-free
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: wireless
Assignee: [email protected]
Reporter: [email protected]
mtw_newassoc() schedules a future call to mtw_newassoc_cb, capturing
an ni, but does not protect it with ieee80211_ref_node(ni):
sc->cmdq[cnt].func = mtw_newassoc_cb;
sc->cmdq[cnt].arg0 = NULL;
sc->cmdq[cnt].arg1 = ni;
sc->cmdq[cnt].wcid = wcid;
ieee80211_runtask(ic, &sc->cmdq_task);
By the time ntw_newassoc_cb() is called, ni may have been freed.
--
You are receiving this mail because:
You are the assignee for the bug.
