Fix a potential double free of the p80211_wep->data pointer in the
skb_ether_to_p80211 function. When encryption fails, the function frees
p80211_wep->data but does not set the pointer to NULL, leading to the
possibility of double freeing the memory if the caller attempts to
free it again (calling function in p80211netdev.c (line 385) attempts
to free this memory again using kfree_sensitive at line 432)
Set p80211_wep->data to NULL after freeing it to ensure that further
attempts to free this pointer are safely handled, preventing a
double free error.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: b5956dd26f84 ("drivers/staging/wlan-ng/p80211conv.c: fixed a
potential memory leak")
Signed-off-by: Mikhail Arkhipov <m.arhipov@xxxxxxx>
---
drivers/staging/wlan-ng/p80211conv.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/staging/wlan-ng/p80211conv.c b/drivers/staging/wlan-ng/p80211conv.c
index 0ff5fda81b05..b2e224e1e33f 100644
--- a/drivers/staging/wlan-ng/p80211conv.c
+++ b/drivers/staging/wlan-ng/p80211conv.c
@@ -215,6 +215,7 @@ int skb_ether_to_p80211(struct wlandevice *wlandev, u32 ethconv,
"Host en-WEP failed, dropping frame (%d).\n",
foo);
kfree(p80211_wep->data);
+ p80211_wep->data = NULL;
return 2;
}
fc |= cpu_to_le16(WLAN_SET_FC_ISWEP(1));
--
2.39.3 (Apple Git-146)
