Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 040bdf71 authored Aug 10, 2011 by Felix Fietkau Committed by John W. Linville Aug 11, 2011

cfg80211: fix a crash in nl80211_send_station



mac80211 leaves sinfo->assoc_req_ies uninitialized, causing a random
pointer memory access in nl80211_send_station.
Instead of checking if the pointer is null, use sinfo->filled, like
the rest of the fields.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

parent 6a6767b0

include/net/cfg80211.h

+3 −1

Original line number	Diff line number	Diff line
		@@ -421,6 +421,7 @@ struct station_parameters {
		* @STATION_INFO_RX_BITRATE: @rxrate fields are filled
		* @STATION_INFO_BSS_PARAM: @bss_param filled
		* @STATION_INFO_CONNECTED_TIME: @connected_time filled
		* @STATION_INFO_ASSOC_REQ_IES: @assoc_req_ies filled
		*/
		enum station_info_flags {
		STATION_INFO_INACTIVE_TIME = 1<<0,
		@@ -439,7 +440,8 @@ enum station_info_flags {
		STATION_INFO_SIGNAL_AVG = 1<<13,
		STATION_INFO_RX_BITRATE = 1<<14,
		STATION_INFO_BSS_PARAM = 1<<15,
		STATION_INFO_CONNECTED_TIME = 1<<16
		STATION_INFO_CONNECTED_TIME = 1<<16,
		STATION_INFO_ASSOC_REQ_IES = 1<<17
		};

		/**

net/wireless/nl80211.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -2236,7 +2236,7 @@ static int nl80211_send_station(struct sk_buff *msg, u32 pid, u32 seq,
		}
		nla_nest_end(msg, sinfoattr);

		if (sinfo->assoc_req_ies)
		if (sinfo->filled & STATION_INFO_ASSOC_REQ_IES)
		NLA_PUT(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
		sinfo->assoc_req_ies);