On Tue, Apr 4, 2023 at 6:18 PM Simon Horman <simon.horman@xxxxxxxxxxxx> wrote:
>
> On Tue, Apr 04, 2023 at 01:48:03PM +0000, Eric Dumazet wrote:
> > syzbot reported a NULL deref caused by a missing check
> > in hwsim_pmsr_report_nl(), and bisected the issue to cited commit.
> >
>
> Hi Eric,
>
> I think this is for net-next / wireless-next as
> the above mentioned patch does not seem to be in Linus's tree.
Oh right, script error on my side. This was generated from -next tree.
>
> > ---
> > drivers/net/wireless/virtual/mac80211_hwsim.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/drivers/net/wireless/virtual/mac80211_hwsim.c b/drivers/net/wireless/virtual/mac80211_hwsim.c
> > index f446d8f6e1f6e1df108db00e898fa02970162585..701e14b8e6fe0cae7ee2478c8dff0f2327b54a70 100644
> > --- a/drivers/net/wireless/virtual/mac80211_hwsim.c
> > +++ b/drivers/net/wireless/virtual/mac80211_hwsim.c
> > @@ -3761,6 +3761,8 @@ static int hwsim_pmsr_report_nl(struct sk_buff *msg, struct genl_info *info)
> > int rem;
> >
> > src = nla_data(info->attrs[HWSIM_ATTR_ADDR_TRANSMITTER]);
> > + if (!src)
> > + return -EINVAL;
> > data = get_hwsim_data_ref_from_addr(src);
> > if (!data)
> > return -EINVAL;
>
> I could well be wrong, but this looks a little odd given that nla_data is:
>
> static inline void *nla_data(const struct nlattr *nla)
> {
> return (char *) nla + NLA_HDRLEN;
> }
>
> Perhaps we want something like this (*compile tested only!*) ?
>
> if (!info->attrs[HWSIM_ATTR_ADDR_TRANSMITTER])
> return -EINVAL;
> src = nla_data(info->attrs[HWSIM_ATTR_ADDR_TRANSMITTER]);
Oh right, thanks for reviewing this :)
I will send a V2 soon.
