On 12/5/2022 11:40 AM, Aloka Dixit wrote:
On 12/2/2022 8:44 AM, Jouni Malinen wrote:
On Mon, Nov 14, 2022 at 12:19:03PM -0800, Aloka Dixit wrote:
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
@@ -3338,7 +3338,8 @@ cfg80211_beacon_dup(struct cfg80211_beacon_data
*beacon)
len = beacon->head_len + beacon->tail_len +
beacon->beacon_ies_len +
beacon->proberesp_ies_len + beacon->assocresp_ies_len +
beacon->probe_resp_len + beacon->lci_len +
beacon->civicloc_len +
- ieee80211_get_mbssid_beacon_len(beacon->mbssid_ies);
+ ieee80211_get_mbssid_beacon_len(beacon->mbssid_ies,
+ beacon->mbssid_ies->cnt);
beacon->mbssid_ies can be NULL here and that is going to result in a
kernel panic. For example, check with hostap.git test case
ap_ht_20_to_40_csa.
Oh, thank you, will fix it.
@Johannes, I noticed that commit 2b3171c6fe0af24b5506
missed freeing old->mbssid_ies (2 places) and old_beacon->mbssid_ies
that were part of
https://patchwork.kernel.org/project/linux-wireless/patch/20210916025437.29138-4-alokad@xxxxxxxxxxxxxx/.
I will add those in the next version as well.
Any better way to catch missing free() calls that you can recommend?
Thanks.
My bad, please ignore above comment. The design was changed a bit
between those two versions and the current one does not allocate
separate memory for mbssid_ies, instead adds required length to the
original allocation.
