mirror of
https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git
synced 2024-09-22 04:15:02 +00:00
cfg80211: fix error path in cfg80211_wext_siwscan
If there's an invalid channel or SSID, the code leaks the scan request. Always free the scan request, unless it was successfully given to the driver. Reported-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Acked-by: Dan Carpenter <error27@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
This commit is contained in:
parent
befabac2d8
commit
65486c8b30
1 changed files with 9 additions and 4 deletions
|
@ -601,7 +601,7 @@ int cfg80211_wext_siwscan(struct net_device *dev,
|
||||||
struct cfg80211_registered_device *rdev;
|
struct cfg80211_registered_device *rdev;
|
||||||
struct wiphy *wiphy;
|
struct wiphy *wiphy;
|
||||||
struct iw_scan_req *wreq = NULL;
|
struct iw_scan_req *wreq = NULL;
|
||||||
struct cfg80211_scan_request *creq;
|
struct cfg80211_scan_request *creq = NULL;
|
||||||
int i, err, n_channels = 0;
|
int i, err, n_channels = 0;
|
||||||
enum ieee80211_band band;
|
enum ieee80211_band band;
|
||||||
|
|
||||||
|
@ -694,8 +694,10 @@ int cfg80211_wext_siwscan(struct net_device *dev,
|
||||||
/* translate "Scan for SSID" request */
|
/* translate "Scan for SSID" request */
|
||||||
if (wreq) {
|
if (wreq) {
|
||||||
if (wrqu->data.flags & IW_SCAN_THIS_ESSID) {
|
if (wrqu->data.flags & IW_SCAN_THIS_ESSID) {
|
||||||
if (wreq->essid_len > IEEE80211_MAX_SSID_LEN)
|
if (wreq->essid_len > IEEE80211_MAX_SSID_LEN) {
|
||||||
return -EINVAL;
|
err = -EINVAL;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
memcpy(creq->ssids[0].ssid, wreq->essid, wreq->essid_len);
|
memcpy(creq->ssids[0].ssid, wreq->essid, wreq->essid_len);
|
||||||
creq->ssids[0].ssid_len = wreq->essid_len;
|
creq->ssids[0].ssid_len = wreq->essid_len;
|
||||||
}
|
}
|
||||||
|
@ -707,12 +709,15 @@ int cfg80211_wext_siwscan(struct net_device *dev,
|
||||||
err = rdev->ops->scan(wiphy, dev, creq);
|
err = rdev->ops->scan(wiphy, dev, creq);
|
||||||
if (err) {
|
if (err) {
|
||||||
rdev->scan_req = NULL;
|
rdev->scan_req = NULL;
|
||||||
kfree(creq);
|
/* creq will be freed below */
|
||||||
} else {
|
} else {
|
||||||
nl80211_send_scan_start(rdev, dev);
|
nl80211_send_scan_start(rdev, dev);
|
||||||
|
/* creq now owned by driver */
|
||||||
|
creq = NULL;
|
||||||
dev_hold(dev);
|
dev_hold(dev);
|
||||||
}
|
}
|
||||||
out:
|
out:
|
||||||
|
kfree(creq);
|
||||||
cfg80211_unlock_rdev(rdev);
|
cfg80211_unlock_rdev(rdev);
|
||||||
return err;
|
return err;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue