linux/net/mac80211
Johannes Berg b8fff407a1 mac80211: fix use-after-free in defragmentation
Upon receiving the last fragment, all but the first fragment
are freed, but the multicast check for statistics at the end
of the function refers to the current skb (the last fragment)
causing a use-after-free bug.

Since multicast frames cannot be fragmented and we check for
this early in the function, just modify that check to also
do the accounting to fix the issue.

Cc: stable@vger.kernel.org
Reported-by: Yosef Khyal <yosefx.khyal@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2014-11-03 14:28:50 +01:00
..
aes_ccm.c mac80211: remove VLAIS usage from mac80211 2014-04-09 10:55:27 +02:00
aes_ccm.h mac80211: port CCMP to cryptoapi's CCM driver 2013-10-11 15:38:20 +02:00
aes_cmac.c mac80211: fix checkpatch errors 2013-12-18 10:33:06 +01:00
aes_cmac.h mac80211: fix checkpatch errors 2013-12-18 10:33:06 +01:00
agg-rx.c mac80211: fix offloaded BA session traffic after hw restart 2014-09-03 13:40:38 +02:00
agg-tx.c mac80211: introduce refcount for queue_stop_reasons 2014-06-23 14:22:25 +02:00
cfg.c mac80211: return the vif's chandef in ieee80211_cfg_get_channel() 2014-10-09 11:01:58 +02:00
cfg.h mac80211: make cfg80211 ops and privid const 2014-02-04 21:48:21 +01:00
chan.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless 2014-09-08 11:14:56 -04:00
debug.h mac80211: process the CSA frame for mesh accordingly 2013-10-28 15:05:28 +01:00
debugfs_key.c
debugfs_key.h
debugfs_netdev.c mac80211: replace SMPS hw flags with wiphy feature bits 2014-09-11 13:37:02 +02:00
debugfs_netdev.h mac80211: fix some missing includes 2014-04-09 14:49:43 +02:00
debugfs_sta.c This time, I have some rate minstrel improvements, support for a very 2014-09-15 14:51:23 -04:00
debugfs_sta.h
debugfs.c mac80211: replace SMPS hw flags with wiphy feature bits 2014-09-11 13:37:02 +02:00
debugfs.h mac80211: fix some missing includes 2014-04-09 14:49:43 +02:00
driver-ops.h mac80211: extend set_coverage_class signature 2014-09-05 13:54:07 +02:00
ethtool.c cfg80211: make ethtool the driver's responsibility 2014-06-23 11:05:33 +02:00
event.c
ht.c mac80211: set Rx highest rate in ht_cap 2014-07-21 12:14:04 +02:00
ibss.c mac80211: use secondary channel offset IE also beacons during CSA 2014-10-29 16:37:45 +01:00
ieee80211_i.h mac80211: use secondary channel offset IE also beacons during CSA 2014-10-29 16:37:45 +01:00
iface.c mac80211: properly flush delayed scan work on interface removal 2014-10-30 15:48:32 +01:00
Kconfig mac80211: remove PID rate control 2014-06-23 11:05:23 +02:00
key.c mac80211: clear key material when freeing keys 2014-09-11 12:07:23 +02:00
key.h mac80211: free all AP/VLAN keys at once 2013-12-16 11:29:48 +01:00
led.c mac80211: use oneshot blink API for LED triggers 2013-08-01 10:48:49 +02:00
led.h mac80211: use oneshot blink API for LED triggers 2013-08-01 10:48:49 +02:00
main.c mac80211: add Intel Mobile Communications copyright 2014-09-05 13:52:06 +02:00
Makefile cfg80211: make ethtool the driver's responsibility 2014-06-23 11:05:33 +02:00
mesh_hwmp.c mac80211: remove unnecessary break after return 2014-07-15 16:27:00 -07:00
mesh_pathtbl.c mac80211: Replace rcu_dereference() with rcu_access_pointer() 2014-08-27 12:14:10 +02:00
mesh_plink.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless 2014-09-08 11:14:56 -04:00
mesh_ps.c mac80211: clear sequence/fragment number in QoS-null frames 2014-03-05 15:49:54 +01:00
mesh_sync.c mac80211: remove BUG_ON usage 2014-04-29 17:59:27 +02:00
mesh.c mac80211: use secondary channel offset IE also beacons during CSA 2014-10-29 16:37:45 +01:00
mesh.h mac80211: use put_unaligned_le in mesh when necessary 2013-11-25 20:51:55 +01:00
michael.c
michael.h mac80211: fix some missing includes 2014-04-09 14:49:43 +02:00
mlme.c mac80211: schedule the actual switch of the station before CSA count 0 2014-10-29 16:37:54 +01:00
offchannel.c mac80211: introduce refcount for queue_stop_reasons 2014-06-23 14:22:25 +02:00
pm.c mac80211: introduce refcount for queue_stop_reasons 2014-06-23 14:22:25 +02:00
rate.c mac80211: fix typo in starting baserate for rts_cts_rate_idx 2014-10-14 11:16:16 +02:00
rate.h mac80211: remove PID rate control 2014-06-23 11:05:23 +02:00
rc80211_minstrel_debugfs.c mac80211: minstrels: fix buffer overflow in HT debugfs rc_stats 2014-10-20 16:37:01 +02:00
rc80211_minstrel_ht_debugfs.c mac80211: minstrels: fix buffer overflow in HT debugfs rc_stats 2014-10-20 16:37:01 +02:00
rc80211_minstrel_ht.c mac80211: improve minstrel_ht rate sorting by throughput & probability 2014-09-11 12:10:14 +02:00
rc80211_minstrel_ht.h mac80211: improve minstrel_ht rate sorting by throughput & probability 2014-09-11 12:10:14 +02:00
rc80211_minstrel.c mac80211: Unify rate statistic variables between Minstrel & Minstrel_HT 2014-09-11 12:08:31 +02:00
rc80211_minstrel.h mac80211: Unify rate statistic variables between Minstrel & Minstrel_HT 2014-09-11 12:08:31 +02:00
rx.c mac80211: fix use-after-free in defragmentation 2014-11-03 14:28:50 +01:00
scan.c mac80211: add Intel Mobile Communications copyright 2014-09-05 13:52:06 +02:00
spectmgmt.c mac80211: use secondary channel offset IE also beacons during CSA 2014-10-29 16:37:45 +01:00
sta_info.c Merge tag 'master-2014-09-16' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next 2014-09-26 15:39:24 -04:00
sta_info.h mac80211: fix warning on htmldocs for last_tdls_pkt_time 2014-10-09 10:33:29 +02:00
status.c mac80211: add TDLS connection timeout 2014-09-11 12:18:47 +02:00
tdls.c mac80211: set network header in TDLS frames 2014-09-11 12:25:22 +02:00
tkip.c mac80211: fix checkpatch errors 2013-12-18 10:33:06 +01:00
tkip.h
trace.c
trace.h mac80211: extend set_coverage_class signature 2014-09-05 13:54:07 +02:00
tx.c Merge tag 'master-2014-09-16' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next 2014-09-26 15:39:24 -04:00
util.c mac80211: support DTPC IE (from Cisco Client eXtensions) 2014-09-08 10:52:00 +02:00
vht.c mac80211: disable VHT for TDLS 2014-07-21 12:14:04 +02:00
wep.c mac80211: remove weak WEP IV accounting 2014-06-23 11:05:31 +02:00
wep.h
wme.c mac80211: add Intel Mobile Communications copyright 2014-09-05 13:52:06 +02:00
wme.h
wpa.c mac80211: annotate MMIC head/tailroom warning 2014-09-08 11:22:42 +02:00
wpa.h mac80211: add generic cipher scheme support 2013-11-25 20:50:52 +01:00