forked from Minki/linux
cfg80211: fix a crash in nl80211_send_station
mac80211 leaves sinfo->assoc_req_ies uninitialized, causing a random pointer memory access in nl80211_send_station. Instead of checking if the pointer is null, use sinfo->filled, like the rest of the fields. Signed-off-by: Felix Fietkau <nbd@openwrt.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
This commit is contained in:
parent
6a6767b046
commit
040bdf713d
@ -421,6 +421,7 @@ struct station_parameters {
|
||||
* @STATION_INFO_RX_BITRATE: @rxrate fields are filled
|
||||
* @STATION_INFO_BSS_PARAM: @bss_param filled
|
||||
* @STATION_INFO_CONNECTED_TIME: @connected_time filled
|
||||
* @STATION_INFO_ASSOC_REQ_IES: @assoc_req_ies filled
|
||||
*/
|
||||
enum station_info_flags {
|
||||
STATION_INFO_INACTIVE_TIME = 1<<0,
|
||||
@ -439,7 +440,8 @@ enum station_info_flags {
|
||||
STATION_INFO_SIGNAL_AVG = 1<<13,
|
||||
STATION_INFO_RX_BITRATE = 1<<14,
|
||||
STATION_INFO_BSS_PARAM = 1<<15,
|
||||
STATION_INFO_CONNECTED_TIME = 1<<16
|
||||
STATION_INFO_CONNECTED_TIME = 1<<16,
|
||||
STATION_INFO_ASSOC_REQ_IES = 1<<17
|
||||
};
|
||||
|
||||
/**
|
||||
|
@ -2236,7 +2236,7 @@ static int nl80211_send_station(struct sk_buff *msg, u32 pid, u32 seq,
|
||||
}
|
||||
nla_nest_end(msg, sinfoattr);
|
||||
|
||||
if (sinfo->assoc_req_ies)
|
||||
if (sinfo->filled & STATION_INFO_ASSOC_REQ_IES)
|
||||
NLA_PUT(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
|
||||
sinfo->assoc_req_ies);
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user