Hi!
> [ Upstream commit 6ef09cdc5ba0f93826c09d810c141a8d103a80fc ]
>
> In 'cfg80211_wext_siwscan()', add extra check whether number of
> channels passed via 'ioctl(sock, SIOCSIWSCAN, ...)' doesn't exceed
> IW_MAX_FREQUENCIES and reject invalid request with -EINVAL otherwise.
This results in very confusing code in 4.19 at least. It should goto
out for consistency, exploting kfree(NULL) to be nop. Ok, not sure we
care...
Best regards,
Pavel
> diff --git a/net/wireless/scan.c b/net/wireless/scan.c
> index dacb9ceee3efd..0dc27703443c8 100644
> --- a/net/wireless/scan.c
> +++ b/net/wireless/scan.c
> @@ -1405,10 +1405,14 @@ int cfg80211_wext_siwscan(struct net_device *dev,
> wiphy = &rdev->wiphy;
>
> /* Determine number of channels, needed to allocate creq */
> - if (wreq && wreq->num_channels)
> + if (wreq && wreq->num_channels) {
> + /* Passed from userspace so should be checked */
> + if (unlikely(wreq->num_channels > IW_MAX_FREQUENCIES))
> + return -EINVAL;
> n_channels = wreq->num_channels;
> - else
> + } else {
> n_channels = ieee80211_get_num_supported_channels(wiphy);
> + }
>
> creq = kzalloc(sizeof(*creq) + sizeof(struct cfg80211_ssid) +
> n_channels * sizeof(void *),
--
DENX Software Engineering GmbH, Managing Director: Erika Unter
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Attachment:
signature.asc
Description: PGP signature
