From 3a57305f10ce867d4427ecb94efbec6afb982068 Mon Sep 17 00:00:00 2001 From: Witold Sowa Date: Wed, 26 Aug 2009 20:18:24 +0300 Subject: [PATCH] Fix a bug with ap_rx_from_unknown_sta() recursion ap_rx_from_unknown_sta was going into infinite recursion, or could even crash because of corrupted pointer cast. --- src/drivers/driver_nl80211.c | 4 ++-- wpa_supplicant/ap.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c index f8f6c765d..77cee65db 100644 --- a/src/drivers/driver_nl80211.c +++ b/src/drivers/driver_nl80211.c @@ -2588,7 +2588,7 @@ static int nl80211_create_iface(struct wpa_driver_nl80211_data *drv, void ap_tx_status(void *ctx, const u8 *addr, const u8 *buf, size_t len, int ack); -void ap_rx_from_unknown_sta(void *ctx, const u8 *addr); +void ap_rx_from_unknown_sta(void *ctx, struct ieee80211_hdr *hdr, size_t len); void ap_mgmt_rx(void *ctx, u8 *buf, size_t len, u16 stype, struct hostapd_frame_info *fi); void ap_mgmt_tx_cb(void *ctx, u8 *buf, size_t len, u16 stype, int ok); @@ -2643,7 +2643,7 @@ static void from_unknown_sta(struct wpa_driver_nl80211_data *drv, #ifdef HOSTAPD hostapd_rx_from_unknown_sta(drv->ctx, hdr, len); #else /* HOSTAPD */ - ap_rx_from_unknown_sta(drv->ctx, hdr->addr2); + ap_rx_from_unknown_sta(drv->ctx, hdr, len); #endif /* HOSTAPD */ } diff --git a/wpa_supplicant/ap.c b/wpa_supplicant/ap.c index 06d6d2e4a..c4065dc29 100644 --- a/wpa_supplicant/ap.c +++ b/wpa_supplicant/ap.c @@ -494,10 +494,10 @@ void ap_tx_status(void *ctx, const u8 *addr, } -void ap_rx_from_unknown_sta(void *ctx, const u8 *addr) +void ap_rx_from_unknown_sta(void *ctx, struct ieee80211_hdr *hdr, size_t len) { struct wpa_supplicant *wpa_s = ctx; - ap_rx_from_unknown_sta(wpa_s->ap_iface->bss[0], addr); + hostapd_rx_from_unknown_sta(wpa_s->ap_iface->bss[0], hdr, len); }