| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1261578815.7304.7.camel@johannes.local>
Date: Wed, 23 Dec 2009 15:33:35 +0100
From: Johannes Berg <johannes@...solutions.net>
To: Dan Carpenter <error27@...il.com>
Cc: "John W. Linville" <linville@...driver.com>,
"David S. Miller" <davem@...emloft.net>,
linux-wireless@...r.kernel.org, netdev@...r.kernel.org
Subject: [PATCH] cfg80211: fix error path in cfg80211_wext_siwscan
If there's an invalid channel or SSID, the code leaks
the scan request. Always free the scan request, unless
it was successfully given to the driver.
Reported-by: Dan Carpenter <error27@...il.com>
Signed-off-by: Johannes Berg <johannes@...solutions.net>
---
I kinda prefer this, thoughts?
net/wireless/scan.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- wireless-testing.orig/net/wireless/scan.c 2009-12-23 15:27:20.000000000 +0100
+++ wireless-testing/net/wireless/scan.c 2009-12-23 15:32:52.000000000 +0100
@@ -601,7 +601,7 @@ int cfg80211_wext_siwscan(struct net_dev
struct cfg80211_registered_device *rdev;
struct wiphy *wiphy;
struct iw_scan_req *wreq = NULL;
- struct cfg80211_scan_request *creq;
+ struct cfg80211_scan_request *creq = NULL;
int i, err, n_channels = 0;
enum ieee80211_band band;
@@ -694,8 +694,10 @@ int cfg80211_wext_siwscan(struct net_dev
/* translate "Scan for SSID" request */
if (wreq) {
if (wrqu->data.flags & IW_SCAN_THIS_ESSID) {
- if (wreq->essid_len > IEEE80211_MAX_SSID_LEN)
- return -EINVAL;
+ if (wreq->essid_len > IEEE80211_MAX_SSID_LEN) {
+ err = -EINVAL;
+ goto out;
+ }
memcpy(creq->ssids[0].ssid, wreq->essid, wreq->essid_len);
creq->ssids[0].ssid_len = wreq->essid_len;
}
@@ -707,12 +709,15 @@ int cfg80211_wext_siwscan(struct net_dev
err = rdev->ops->scan(wiphy, dev, creq);
if (err) {
rdev->scan_req = NULL;
- kfree(creq);
+ /* creq will be freed below */
} else {
nl80211_send_scan_start(rdev, dev);
+ /* creq now owned by driver */
+ creq = NULL;
dev_hold(dev);
}
out:
+ kfree(creq);
cfg80211_unlock_rdev(rdev);
return err;
}
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists