Created attachment 239951 [details]
send an 802.11 mesh action frame to a node in adhoc mode -> NULL deref in mesh_verify_meshid()

I've attached a demo that sends a mesh action frame to an interface
that's in adhoc mode. vap->iv_mesh is NULL here:

mesh_verify_meshid(struct ieee80211vap *vap, const uint8_t *ie)
{
        struct ieee80211_mesh_state *ms = vap->iv_mesh;
        if (ie == NULL || ie[1] != ms->ms_idlen)


# cc wtap9a.c
# ./a.out
wlan0: received action from 00:98:9a:98:96:98 rssi 128
wlan0: adhoc_recv_mgmt: recv mgmt frame, addr2=00:98:9a:98:96:98, ni=0xffffffc073568000 (00:98:9a:98:96:98) fc=d0 00                                            
panic: Fatal page fault at 0xffffffc000430b66: 0000000000000000
panic() at panic+0x2a
page_fault_handler() at page_fault_handler+0x1d6
do_trap_supervisor() at do_trap_supervisor+0x74
cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70
--- exception 13, tval = 0
mesh_verify_meshid() at mesh_verify_meshid+0x1a
mesh_parse_meshpeering_action() at mesh_parse_meshpeering_action+0x198
mesh_recv_action_meshpeering_confirm() at mesh_recv_action_meshpeering_confirm+0x26                                                                             
ieee80211_recv_action() at ieee80211_recv_action+0x13c
adhoc_recv_mgmt() at adhoc_recv_mgmt+0x1d2
wtap_recv_mgmt() at wtap_recv_mgmt+0x28
adhoc_input() at adhoc_input+0x990
.LBB2_17() at .LBB2_17+0x34
taskqueue_run_locked() at taskqueue_run_locked+0x96
taskqueue_thread_loop() at taskqueue_thread_loop+0x62
fork_exit() at fork_exit+0x80
fork_trampoline() at fork_trampoline+0xa