[PATCH RFC V2] nl80211: Fix init of cfg80211 channel definition

Stefan Wahren <wahrenst@xxxxxxx> · Sun, 29 Sep 2019 16:12:59 +0200

The commit 2a38075cd0be ("nl80211: Add support for EDMG channels")
introduced a member to the cfg80211 channel definition. Unfortunately
the channel definitions are allocated on the stack and are not always
initialized via memset. Now this results in a broken probe of brcmfmac
driver, because cfg80211_chandef_valid() accesses uninitialized memory
and fail. Fix this by init the remaining occurences with memset.

Reported-by: Dmitry Osipenko <digetx@xxxxxxxxx>
Signed-off-by: Stefan Wahren <wahrenst@xxxxxxx>
Fixes: 2a38075cd0be ("nl80211: Add support for EDMG channels")
---
 net/mac80211/util.c    | 1 +
 net/wireless/nl80211.c | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 051a02d..d887753 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -1885,6 +1885,7 @@ struct sk_buff *ieee80211_build_probe_req(struct ieee80211_sub_if_data *sdata,
 	 * in order to maximize the chance that we get a response.  Some
 	 * badly-behaved APs don't respond when this parameter is included.
 	 */
+	memset(&chandef, 0, sizeof(struct cfg80211_chan_def));
 	chandef.width = sdata->vif.bss_conf.chandef.width;
 	if (flags & IEEE80211_PROBE_FLAG_DIRECTED)
 		chandef.chan = NULL;
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index d21b158..9a107be 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -2636,10 +2636,10 @@ int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,

 	control_freq = nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]);

+	memset(chandef, 0, sizeof(struct cfg80211_chan_def));
 	chandef->chan = ieee80211_get_channel(&rdev->wiphy, control_freq);
 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
 	chandef->center_freq1 = control_freq;
-	chandef->center_freq2 = 0;

 	/* Primary channel not allowed */
 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED) {
@@ -3178,6 +3178,7 @@ static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flag
 		int ret;
 		struct cfg80211_chan_def chandef;

+		memset(&chandef, 0, sizeof(struct cfg80211_chan_def));
 		ret = rdev_get_channel(rdev, wdev, &chandef);
 		if (ret == 0) {
 			if (nl80211_send_chandef(msg, &chandef))
--
2.7.4







