net80211: fix a NULL deref in ieee80211_sta_join1()
When ieee80211_sta_join1() gets an obss without ni_nt trying to lock
that will cause a NULL pointer deref. Check for the table to be
valid and deal with the obss node accordingly.
This can happen if sta_newstate() calls ieee80211_reset_bss() for
nstate == INIT and ostate != INIT. ieee80211_reset_bss() itself
calls ieee80211_node_table_reset() which calls node_reclaim()
which ends up in ieee80211_del_node_nt() which does remove the
node from the table and sets ni_table to NULL.
That node (former iv_bss) can then be returned as obss in the
(*iv_update_bss)() call in join1().
Approved by: re (cperciva)
Reviewed by: adrian, cc
Differential Revision: https://reviews.freebsd.org/D43469
(cherry picked from commit
8a5a3e3d0436a2de9dc5c2c10bd9a471b6338233)
(cherry picked from commit
755a04671dd47390f6d49695a6ac9c2d31c9935c)
projects / FreeBSD / FreeBSD.git / commit