[<prev] [next>] [day] [month] [year] [list]
Message-Id: <1569766055-9392-1-git-send-email-wahrenst@gmx.net>
Date: Sun, 29 Sep 2019 16:07:35 +0200
From: Stefan Wahren <wahrenst@....net>
To: Johannes Berg <johannes@...solutions.net>,
Alexei Avshalom Lazar <ailizaro@...eaurora.org>
Cc: "David S. Miller" <davem@...emloft.net>,
Dmitry Osipenko <digetx@...il.com>,
linux-wireless@...r.kernel.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org, Stefan Wahren <wahrenst@....net>
Subject: [PATCH RFC] nl80211: Fix init of cfg80211 channel definition
The commit 2a38075cd0be ("nl80211: Add support for EDMG channels")
introduced a member to the cfg80211 channel definition. Unfortunately
the channel definitions are allocated on the stack and are not always
initialized via memset. Now this results in a broken probe of brcmfmac
driver, because cfg80211_chandef_valid() accesses uninitialized memory
and fail. Fix this by init the remaining occurences with memset.
Reported-by: Dmitry Osipenko <digetx@...il.com>
Signed-off-by: Stefan Wahren <wahrenst@....net>
---
net/mac80211/util.c | 1 +
net/wireless/nl80211.c | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 051a02d..d887753 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -1885,6 +1885,7 @@ struct sk_buff *ieee80211_build_probe_req(struct ieee80211_sub_if_data *sdata,
* in order to maximize the chance that we get a response. Some
* badly-behaved APs don't respond when this parameter is included.
*/
+ memset(&chandef, 0, sizeof(struct cfg80211_chan_def));
chandef.width = sdata->vif.bss_conf.chandef.width;
if (flags & IEEE80211_PROBE_FLAG_DIRECTED)
chandef.chan = NULL;
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index d21b158..9a107be 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -2636,10 +2636,10 @@ int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
control_freq = nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]);
+ memset(chandef, 0, sizeof(struct cfg80211_chan_def));
chandef->chan = ieee80211_get_channel(&rdev->wiphy, control_freq);
chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
chandef->center_freq1 = control_freq;
- chandef->center_freq2 = 0;
/* Primary channel not allowed */
if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED) {
@@ -3178,6 +3178,7 @@ static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flag
int ret;
struct cfg80211_chan_def chandef;
+ memset(&chandef, 0, sizeof(struct cfg80211_chan_def));
ret = rdev_get_channel(rdev, wdev, &chandef);
if (ret == 0) {
if (nl80211_send_chandef(msg, &chandef))
--
2.7.4
Powered by blists - more mailing lists