cfg80211: Fix use after free when process wdev events

"bssid" is only initialized out of the while loop, in case of two events with same type: EVENT_CONNECT_RESULT, but one has zero ether addr, the other is non-zero, the bssid pointer will be referenced twice, which lead to use-after-free issue Change-Id: Ie8a24275f7ec5c2f936ef0a802a42e5f63be9c71 CRs-Fixed: 2254305 Signed-off-by: Zhu Jianmin <jianminz@codeaurora.org>
2024-11-06 23:17:41 +00:00 · 2018-07-24 22:11:09 +08:00 · 2018-07-24 22:11:09 +08:00 · 58d618c7b5
commit 58d618c7b5
parent 82faa84aab
1 changed files with 1 additions and 2 deletions
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@ -739,8 +739,7 @@ void cfg80211_process_wdev_events(struct wireless_dev *wdev)
 		wdev_lock(wdev);
 		switch (ev->type) {
 		case EVENT_CONNECT_RESULT:
-			if (!is_zero_ether_addr(ev->cr.bssid))
-				bssid = ev->cr.bssid;
+			bssid = ev->cr.bssid;
 			__cfg80211_connect_result(
 				wdev->netdev, bssid,
 				ev->cr.req_ie, ev->cr.req_ie_len,