Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4699fc3f authored by Ganapathi Bhat's avatar Ganapathi Bhat Committed by Kalle Valo
Browse files

mwifiex: Fix an issue spotted by KASAN 



When an association command is sent to firmware but the process is
killed before the command response arrives, driver will try to
access bss_desc which is already freed. This issue is fixed by
checking return value of bss_start.

Signed-off-by: default avatarAmitkumar Karwar <akarwar@marvell.com>
Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
parent 08aba42f

drivers/net/wireless/marvell/mwifiex/join.c

+12 −0
Original line number Diff line number Diff line
@@ -647,6 +647,12 @@ int mwifiex_ret_802_11_associate(struct mwifiex_private *priv, 
	const u8 *ie_ptr;

	struct ieee80211_ht_operation *assoc_resp_ht_oper;



	if (!priv->attempted_bss_desc) {

		mwifiex_dbg(priv->adapter, ERROR,

			    "ASSOC_RESP: failed, association terminated by host\n");

		goto done;

	}



	assoc_rsp = (struct ieee_types_assoc_rsp *) &resp->params;



	cap_info = le16_to_cpu(assoc_rsp->cap_info_bitmap);
@@ -1270,6 +1276,12 @@ int mwifiex_ret_802_11_ad_hoc(struct mwifiex_private *priv, 
	u16 cmd = le16_to_cpu(resp->command);

	u8 result;



	if (!priv->attempted_bss_desc) {

		mwifiex_dbg(priv->adapter, ERROR,

			    "ADHOC_RESP: failed, association terminated by host\n");

		goto done;

	}



	if (cmd == HostCmd_CMD_802_11_AD_HOC_START)

		result = start_result->result;

	else

drivers/net/wireless/marvell/mwifiex/sta_ioctl.c

+4 −0
Original line number Diff line number Diff line
@@ -426,6 +426,10 @@ int mwifiex_bss_start(struct mwifiex_private *priv, struct cfg80211_bss *bss, 
	if (bss_desc)

		kfree(bss_desc->beacon_buf);

	kfree(bss_desc);



	if (ret < 0)

		priv->attempted_bss_desc = NULL;



	return ret;

}