mac80211 leaves sinfo->assoc_req_ies uninitialized, causing a random
pointer memory access in nl80211_send_station.
Instead of checking if the pointer is null, use sinfo->filled, like
the rest of the fields.
Signed-off-by: Felix Fietkau <nbd@xxxxxxxxxxx>
---
include/net/cfg80211.h | 4 +++-
net/wireless/nl80211.c | 2 +-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
index 779e300..96876d3 100644
--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -421,6 +421,7 @@ struct station_parameters {
* @STATION_INFO_RX_BITRATE: @rxrate fields are filled
* @STATION_INFO_BSS_PARAM: @bss_param filled
* @STATION_INFO_CONNECTED_TIME: @connected_time filled
+ * @STATION_INFO_ASSOC_REQ_IES: @assoc_req_ies filled
*/
enum station_info_flags {
STATION_INFO_INACTIVE_TIME = 1<<0,
@@ -439,7 +440,8 @@ enum station_info_flags {
STATION_INFO_SIGNAL_AVG = 1<<13,
STATION_INFO_RX_BITRATE = 1<<14,
STATION_INFO_BSS_PARAM = 1<<15,
- STATION_INFO_CONNECTED_TIME = 1<<16
+ STATION_INFO_CONNECTED_TIME = 1<<16,
+ STATION_INFO_ASSOC_REQ_IES = 1<<17
};
/**
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index ca76977..253e563 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -2236,7 +2236,7 @@ static int nl80211_send_station(struct sk_buff *msg, u32 pid, u32 seq,
}
nla_nest_end(msg, sinfoattr);
- if (sinfo->assoc_req_ies)
+ if (sinfo->filled & STATION_INFO_ASSOC_REQ_IES)
NLA_PUT(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
sinfo->assoc_req_ies);
--
1.7.3.2
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
