On Wed, Dec 23, 2009 at 03:33:35PM +0100, Johannes Berg wrote:
> If there's an invalid channel or SSID, the code leaks
> the scan request. Always free the scan request, unless
> it was successfully given to the driver.
>
> Reported-by: Dan Carpenter <error27@xxxxxxxxx>
> Signed-off-by: Johannes Berg <johannes@xxxxxxxxxxxxxxxx>
> ---
> I kinda prefer this, thoughts?
>
Looks good.
Acked-by: Dan Carpenter <error27@xxxxxxxxx>
regards,
dan carpenter
> net/wireless/scan.c | 13 +++++++++----
> 1 file changed, 9 insertions(+), 4 deletions(-)
>
> --- wireless-testing.orig/net/wireless/scan.c 2009-12-23 15:27:20.000000000 +0100
> +++ wireless-testing/net/wireless/scan.c 2009-12-23 15:32:52.000000000 +0100
> @@ -601,7 +601,7 @@ int cfg80211_wext_siwscan(struct net_dev
> struct cfg80211_registered_device *rdev;
> struct wiphy *wiphy;
> struct iw_scan_req *wreq = NULL;
> - struct cfg80211_scan_request *creq;
> + struct cfg80211_scan_request *creq = NULL;
> int i, err, n_channels = 0;
> enum ieee80211_band band;
>
> @@ -694,8 +694,10 @@ int cfg80211_wext_siwscan(struct net_dev
> /* translate "Scan for SSID" request */
> if (wreq) {
> if (wrqu->data.flags & IW_SCAN_THIS_ESSID) {
> - if (wreq->essid_len > IEEE80211_MAX_SSID_LEN)
> - return -EINVAL;
> + if (wreq->essid_len > IEEE80211_MAX_SSID_LEN) {
> + err = -EINVAL;
> + goto out;
> + }
> memcpy(creq->ssids[0].ssid, wreq->essid, wreq->essid_len);
> creq->ssids[0].ssid_len = wreq->essid_len;
> }
> @@ -707,12 +709,15 @@ int cfg80211_wext_siwscan(struct net_dev
> err = rdev->ops->scan(wiphy, dev, creq);
> if (err) {
> rdev->scan_req = NULL;
> - kfree(creq);
> + /* creq will be freed below */
> } else {
> nl80211_send_scan_start(rdev, dev);
> + /* creq now owned by driver */
> + creq = NULL;
> dev_hold(dev);
> }
> out:
> + kfree(creq);
> cfg80211_unlock_rdev(rdev);
> return err;
> }
>
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
