On Sun, Sep 15, 2024 at 09:58:04PM +0300, Mikhail Arkhipov wrote:
> Fix a potential double free of the p80211_wep->data pointer in the
> skb_ether_to_p80211 function. When encryption fails, the function frees
> p80211_wep->data but does not set the pointer to NULL, leading to the
> possibility of double freeing the memory if the caller attempts to
> free it again (calling function in p80211netdev.c (line 385) attempts
> to free this memory again using kfree_sensitive at line 432)
>
> Set p80211_wep->data to NULL after freeing it to ensure that further
> attempts to free this pointer are safely handled, preventing a
> double free error.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: b5956dd26f84 ("drivers/staging/wlan-ng/p80211conv.c: fixed a
> potential memory leak")
> Signed-off-by: Mikhail Arkhipov <m.arhipov@xxxxxxx>
> ---
> drivers/staging/wlan-ng/p80211conv.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/staging/wlan-ng/p80211conv.c b/drivers/staging/wlan-ng/p80211conv.c
> index 0ff5fda81b05..b2e224e1e33f 100644
> --- a/drivers/staging/wlan-ng/p80211conv.c
> +++ b/drivers/staging/wlan-ng/p80211conv.c
> @@ -215,6 +215,7 @@ int skb_ether_to_p80211(struct wlandevice *wlandev, u32 ethconv,
> "Host en-WEP failed, dropping frame (%d).\n",
> foo);
> kfree(p80211_wep->data);
> + p80211_wep->data = NULL;
> return 2;
> }
> fc |= cpu_to_le16(WLAN_SET_FC_ISWEP(1));
> --
> 2.39.3 (Apple Git-146)
>
Hi Mikhail,
I cannot apply your patch. Reason is that wlan-ng was removed some month
ago.
Are you using the right git repo?
git remote show origin
* remote origin
Fetch URL: git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
...
git branch -a
my branch: staging-testing
Thanks for your support.
Bye Philipp
