Piteball/android_kernel_google_msm
1
0
Fork 0
mirror of https://github.com/followmsi/android_kernel_google_msm.git synced 2024-11-06 23:17:41 +00:00
Code Issues Projects Releases Wiki Activity

cfg80211: Fix use after free when process wdev events

Browse source 
"bssid" is only initialized out of the while loop, in case of two
events with same type: EVENT_CONNECT_RESULT, but one has zero
ether addr, the other is non-zero, the bssid pointer will be
referenced twice, which lead to use-after-free issue

Change-Id: Ie8a24275f7ec5c2f936ef0a802a42e5f63be9c71
CRs-Fixed: 2254305
Signed-off-by: Zhu Jianmin <jianminz@codeaurora.org>
This commit is contained in:
Jianmin Zhu 2018-07-24 22:11:09 +08:00 committed by followmsi
parent 44a0cb8a3b
commit e66d0cdf25
1 changed files with 1 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
net/wireless/util.c
View file

@ -739,8 +739,7 @@ void cfg80211_process_wdev_events(struct wireless_dev *wdev)
wdev_lock(wdev); wdev_lock(wdev);
switch (ev->type) { switch (ev->type) {
case EVENT_CONNECT_RESULT: case EVENT_CONNECT_RESULT:
if (!is_zero_ether_addr(ev->cr.bssid)) bssid = ev->cr.bssid;
bssid = ev->cr.bssid;
__cfg80211_connect_result( __cfg80211_connect_result(
wdev->netdev, bssid, wdev->netdev, bssid,
ev->cr.req_ie, ev->cr.req_ie_len, ev->cr.req_ie, ev->cr.req_ie_len,