madwifi/net80211 ieee80211_node.h,1.3,1.4 ieee80211_node.c,1.5,1.6

Update of /cvsroot/madwifi/madwifi/net80211
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv19355

Modified Files:
        ieee80211_node.h ieee80211_node.c 
Log Message:
Close a race where a node may be used without having it's state properly
setup.  If a station is dropped and the station responds before the last
reference to the node is reclaimed then it may be found in the node table
with the state it had from the previous association.  To deal with this
we clean the critical state when the station leaves so any reuse will
find the data structure in a safe state.

Alternatively we might just mark the node and defer the cleanup until it
is reallocated but since cleanup is currently cheap we'll brute force things.

Sponsored by:   Video54 Technologies


Index: ieee80211_node.h
===================================================================
RCS file: /cvsroot/madwifi/madwifi/net80211/ieee80211_node.h,v
retrieving revision 1.3
retrieving revision 1.4
diff -C2 -d -r1.3 -r1.4
*** ieee80211_node.h    18 Aug 2004 00:44:39 -0000      1.3
--- ieee80211_node.h    19 Aug 2004 01:06:58 -0000      1.4
***************
*** 180,183 ****
--- 180,185 ----
  extern        int ieee80211_sta_join(struct ieee80211com *,
                struct ieee80211_node *);
+ extern        void ieee80211_sta_leave(struct ieee80211com *,
+               struct ieee80211_node *);
  
  extern        struct ieee80211_node *ieee80211_alloc_node(struct ieee80211com 
*,

Index: ieee80211_node.c
===================================================================
RCS file: /cvsroot/madwifi/madwifi/net80211/ieee80211_node.c,v
retrieving revision 1.5
retrieving revision 1.6
diff -C2 -d -r1.5 -r1.6
*** ieee80211_node.c    18 Aug 2004 00:55:25 -0000      1.5
--- ieee80211_node.c    19 Aug 2004 01:06:59 -0000      1.6
***************
*** 53,56 ****
--- 53,57 ----
  
  static struct ieee80211_node *ieee80211_node_alloc(struct ieee80211com *);
+ static void node_cleanup(struct ieee80211com *, struct ieee80211_node *);
  static void ieee80211_node_free(struct ieee80211com *, struct ieee80211_node 
*);
  static void ieee80211_node_copy(struct ieee80211com *,
***************
*** 550,553 ****
--- 551,566 ----
  }
  
+ /*
+  * Leave the specified IBSS/BSS network.  The node is assumed to
+  * be passed in with a held reference.
+  */
+ void
+ ieee80211_sta_leave(struct ieee80211com *ic, struct ieee80211_node *ni)
+ {
+ 
+       node_cleanup(ic, ni);
+       ieee80211_notify_node_leave(ic, ni);
+ }
+ 
  static struct ieee80211_node *
  ieee80211_node_alloc(struct ieee80211com *ic)
***************
*** 565,568 ****
--- 578,585 ----
        int i;
  
+       ni->ni_flags = 0;
+       ni->ni_associd = 0;
+       ni->ni_esslen = 0;
+       /* XXX ni_savedq */
        if (ni->ni_challenge != NULL) {
                FREE(ni->ni_challenge, M_DEVBUF);
***************
*** 1164,1168 ****
        if (ic->ic_curmode == IEEE80211_MODE_11G)
                ieee80211_node_leave_11g(ic, ni);
!       ieee80211_notify_node_leave(ic, ni);
  done:
        ieee80211_free_node(ic, ni);
--- 1181,1191 ----
        if (ic->ic_curmode == IEEE80211_MODE_11G)
                ieee80211_node_leave_11g(ic, ni);
!       /*
!        * Cleanup station state.  In particular clear various
!        * state that might otherwise be reused if the node
!        * is reused before the reference count goes to zero
!        * (and memory is reclaimed).
!        */
!       ieee80211_sta_leave(ic, ni);
  done:
        ieee80211_free_node(ic, ni);



-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285