I don't fully understand the code, but let's imagine the following situation:
- cfg80211_bss_update was called and the ie was stored to allocated space.
- The information_elements pointer is changed to the allocated space.
- cfg80211_bss_update is called again, but now the ie fits into the
space after the "found" structure.
- But the information_elements pointer still points to the allocated space.
So it may overrun the buffer and crash.
Is this scenario possible?
If yes, please consider the following patch.
Signed-off-by: Michael Buesch <mb@xxxxxxxxx>
---
net/wireless/scan.c | 5 +++++
1 file changed, 5 insertions(+)
--- wireless-testing.orig/net/wireless/scan.c
+++ wireless-testing/net/wireless/scan.c
@@ -378,6 +378,11 @@ cfg80211_bss_update(struct cfg80211_regi
size_t ielen = res->pub.len_information_elements;
if (ksize(found) >= used + ielen) {
+ if (found->ies_allocated) {
+ kfree(found->pub.information_elements);
+ found->ies_allocated = false;
+ found->pub.information_elements = (u8 *)found + used;
+ }
memcpy(found->pub.information_elements,
res->pub.information_elements, ielen);
found->pub.len_information_elements = ielen;
--
Greetings, Michael.
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
