lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20240915185804.83811-1-m.arhipov@rosa.ru>
Date: Sun, 15 Sep 2024 21:58:04 +0300
From: Mikhail Arkhipov <m.arhipov@...a.ru>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: Mikhail Arkhipov <m.arhipov@...a.ru>,
	Lynn Lei <lynnl.yet@...il.com>,
	linux-staging@...ts.linux.dev,
	linux-kernel@...r.kernel.org,
	lvc-project@...uxtesting.org
Subject: [PATCH] staging: wlan-ng: Fix potential double free in skb_ether_to_p80211

Fix a potential double free of the p80211_wep->data pointer in the
skb_ether_to_p80211 function. When encryption fails, the function frees
p80211_wep->data but does not set the pointer to NULL, leading to the
possibility of double freeing the memory if the caller attempts to
free it again (calling function in p80211netdev.c (line 385) attempts
to free this memory again using kfree_sensitive at line 432)

Set p80211_wep->data to NULL after freeing it to ensure that further
attempts to free this pointer are safely handled, preventing a
double free error.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: b5956dd26f84 ("drivers/staging/wlan-ng/p80211conv.c: fixed a
 potential memory leak")
Signed-off-by: Mikhail Arkhipov <m.arhipov@...a.ru>
---
 drivers/staging/wlan-ng/p80211conv.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/staging/wlan-ng/p80211conv.c b/drivers/staging/wlan-ng/p80211conv.c
index 0ff5fda81b05..b2e224e1e33f 100644
--- a/drivers/staging/wlan-ng/p80211conv.c
+++ b/drivers/staging/wlan-ng/p80211conv.c
@@ -215,6 +215,7 @@ int skb_ether_to_p80211(struct wlandevice *wlandev, u32 ethconv,
 				    "Host en-WEP failed, dropping frame (%d).\n",
 				    foo);
 			kfree(p80211_wep->data);
+			p80211_wep->data = NULL;
 			return 2;
 		}
 		fc |= cpu_to_le16(WLAN_SET_FC_ISWEP(1));
-- 
2.39.3 (Apple Git-146)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ