ath6kl: Fix invalid pointer access on fuzz testing with AP mode

In our Fuz testing, reference client corrupts the dest mac to "00:00:00:00:00:00" in the WPA2 handshake no 2. During driver init the sta_list entries mac addresses are by default "00:00:00:00:00:00". Driver returns an invalid pointer (conn) and the drver shall crash, if rxtids (aggr_conn) skb queues are accessed, since they would not be initialized. Signed-off-by: Mohammed Shafi Shajakhan <mohammed@qca.qualcomm.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>

ath6kl: Fix invalid pointer access on fuzz testing with AP mode
In our Fuz testing, reference client corrupts the dest mac to "00:00:00:00:00:00" in the WPA2 handshake no 2. During driver init the sta_list entries mac addresses are by default "00:00:00:00:00:00". Driver returns an invalid pointer (conn) and the drver shall crash, if rxtids (aggr_conn) skb queues are accessed, since they would not be initialized. Signed-off-by: Mohammed Shafi Shajakhan <mohammed@qca.qualcomm.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
9d0e2f07 · Mohammed Shafi Shajakhan · Kalle Valo · f32036e8 · 9d0e2f07
Commit 9d0e2f07 authored Aug 05, 2013 by Mohammed Shafi Shajakhan Committed by Kalle Valo Aug 07, 2013
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

drivers/net/wireless/ath/ath6kl/main.c drivers/net/wireless/ath/ath6kl/main.c +3 -0

No files found.
--- a/drivers/net/wireless/ath/ath6kl/main.c
+++ b/drivers/net/wireless/ath/ath6kl/main.c
@@ -29,6 +29,9 @@ struct ath6kl_sta *ath6kl_find_sta(struct ath6kl_vif *vif, u8 *node_addr)
 	struct ath6kl_sta *conn = NULL;
 	u8 i, max_conn;

+	if (is_zero_ether_addr(node_addr))
+		return NULL;
+
 	max_conn = (vif->nw_type == AP_NETWORK) ? AP_MAX_NUM_STA : 0;

 	for (i = 0; i < max_conn; i++) {