Search Linux Wireless

[PATCH] nl80211: Check that function pointer != NULL before using it

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

NL80211_CMD_GET_MESH_PARAMS and NL80211_CMD_SET_MESH_PARAMS handlers
did not verify whether a function pointer is NULL (not supported by
the driver) before trying to call the function. The former nl80211
command is available for unprivileged users, too, so this can
potentially allow normal users to kill networking (or worse..) if
mac80211 is built without CONFIG_MAC80211_MESH=y.

Signed-off-by: Jouni Malinen <jouni.malinen@xxxxxxxxxxx>

---
 net/wireless/nl80211.c |   11 +++++++++++
 1 file changed, 11 insertions(+)

The bug was introduced by 93da9cc17c5ae8a751886fd4732db89ad5e9bdb9 and
the fix should be applied to 2.6.29, too. The patch seems to apply
with some fuzz into linux-2.6.git even though the locking rework in
wireless-testing is not there. The end result looks correct, but I
have only tested this with wireless-testing. If I checked correctly,
this commit was not included in 2.6.28.


--- uml.orig/net/wireless/nl80211.c	2009-03-20 17:37:56.000000000 +0200
+++ uml/net/wireless/nl80211.c	2009-03-20 17:38:58.000000000 +0200
@@ -2039,6 +2039,11 @@ static int nl80211_get_mesh_params(struc
 	if (err)
 		goto out_rtnl;
 
+	if (!drv->ops->get_mesh_params) {
+		err = -EOPNOTSUPP;
+		goto out;
+	}
+
 	/* Get the mesh params */
 	err = drv->ops->get_mesh_params(&drv->wiphy, dev, &cur_params);
 	if (err)
@@ -2151,6 +2156,11 @@ static int nl80211_set_mesh_params(struc
 	if (err)
 		goto out_rtnl;
 
+	if (!drv->ops->set_mesh_params) {
+		err = -EOPNOTSUPP;
+		goto out;
+	}
+
 	/* This makes sure that there aren't more than 32 mesh config
 	 * parameters (otherwise our bitfield scheme would not work.) */
 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
@@ -2193,6 +2203,7 @@ static int nl80211_set_mesh_params(struc
 	/* Apply changes */
 	err = drv->ops->set_mesh_params(&drv->wiphy, dev, &cfg, mask);
 
+ out:
 	/* cleanup */
 	cfg80211_put_dev(drv);
 	dev_put(dev);

-- 
Jouni Malinen                                            PGP id EFC895FA
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Host AP]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Linux Kernel]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux