diff options
| author | Arik Nemtsov <arik@wizery.com> | 2012-07-09 12:57:28 -0400 |
|---|---|---|
| committer | Johannes Berg <johannes.berg@intel.com> | 2012-07-12 06:10:42 -0400 |
| commit | d811b3d5566f1441b321a1219c260124b209e0bd (patch) | |
| tree | 86cd54ea8eaeb899d56496bd1f4d6b04a8ff38bb | |
| parent | fd0142844efa85d89017c89227a0f03de1eee327 (diff) | |
mac80211: fix invalid band deref building preq IEs
The function building probe-request IEs does not validate the band is
supported before dereferencing it. This can result in a panic when
all bands are traversed, as done during sched-scan start.
Warn when this happens and return an empty probe request. Also fix
sched-scan to not waste memory on unsupported bands.
Signed-off-by: Arik Nemtsov <arik@wizery.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| -rw-r--r-- | net/mac80211/scan.c | 3 | ||||
| -rw-r--r-- | net/mac80211/util.c | 2 |
2 files changed, 5 insertions, 0 deletions
diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c index 379f178eab5f..1ff04f689d1f 100644 --- a/net/mac80211/scan.c +++ b/net/mac80211/scan.c | |||
| @@ -928,6 +928,9 @@ int ieee80211_request_sched_scan_start(struct ieee80211_sub_if_data *sdata, | |||
| 928 | } | 928 | } |
| 929 | 929 | ||
| 930 | for (i = 0; i < IEEE80211_NUM_BANDS; i++) { | 930 | for (i = 0; i < IEEE80211_NUM_BANDS; i++) { |
| 931 | if (!local->hw.wiphy->bands[i]) | ||
| 932 | continue; | ||
| 933 | |||
| 931 | local->sched_scan_ies.ie[i] = kzalloc(2 + | 934 | local->sched_scan_ies.ie[i] = kzalloc(2 + |
| 932 | IEEE80211_MAX_SSID_LEN + | 935 | IEEE80211_MAX_SSID_LEN + |
| 933 | local->scan_ies_len + | 936 | local->scan_ies_len + |
diff --git a/net/mac80211/util.c b/net/mac80211/util.c index 64493a7bef1a..596db0c2a113 100644 --- a/net/mac80211/util.c +++ b/net/mac80211/util.c | |||
| @@ -999,6 +999,8 @@ int ieee80211_build_preq_ies(struct ieee80211_local *local, u8 *buffer, | |||
| 999 | int ext_rates_len; | 999 | int ext_rates_len; |
| 1000 | 1000 | ||
| 1001 | sband = local->hw.wiphy->bands[band]; | 1001 | sband = local->hw.wiphy->bands[band]; |
| 1002 | if (WARN_ON_ONCE(!sband)) | ||
| 1003 | return 0; | ||
| 1002 | 1004 | ||
| 1003 | pos = buffer; | 1005 | pos = buffer; |
| 1004 | 1006 | ||