On Wed, Dec 28, 2016 at 03:47:07PM +0200, Andrei Otcheretianski wrote: > It was possible that nl80211_get_hw_feature_data() function would return > NULL when num_modes is not set to zero. This might result in a later crash > when accessing hw.modes. This may be reproduced with hwsim oom tests, for > example, dbus_connect_oom. > Fix that by zeroing num_modes if NULL is returned. I haven't been able to reproduce this.. Would you be able to identify the caller that does not check the returned pointer? There should be no places where *num_modes is used if NULL is returned.. > diff --git a/src/drivers/driver_nl80211_capa.c b/src/drivers/driver_nl80211_capa.c > @@ -1771,6 +1771,7 @@ nl80211_get_hw_feature_data(void *priv, u16 *num_modes, u16 *flags) > os_free(result.modes[i].rates); > } > os_free(result.modes); > + *num_modes = 0; > return NULL; > } > return wpa_driver_nl80211_postprocess_modes(result.modes, This does not look like a complete fix since the function can return NULL also if processing of NL80211_CMD_GET_WIPHY response fails. I'd assume this could potentially happen after having already incremented *num_modes. In any case, if this can really be hit with the current hostap.git snapshot, more appropriate fix would be to modify the caller that uses *num_modes if NULL is returned from get_hw_feature_data(). -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
