diff options
author | Johannes Berg <johannes.berg@intel.com> | 2013-07-30 16:34:28 -0400 |
---|---|---|
committer | Johannes Berg <johannes.berg@intel.com> | 2013-07-30 16:40:34 -0400 |
commit | c319d50bfcf678c2857038276d9fab3c6646f3bf (patch) | |
tree | fcdfa7d5417adb75c7957272dbb1e5ed91da3001 | |
parent | 23df0b731954502a9391e739b92927cee4360343 (diff) |
nl80211: fix another nl80211_fam.attrbuf race
This is similar to the race Linus had reported, but in this case
it's an older bug: nl80211_prepare_wdev_dump() uses the wiphy
index in cb->args[0] as it is and thus parses the message over
and over again instead of just once because 0 is the first valid
wiphy index. Similar code in nl80211_testmode_dump() correctly
offsets the wiphy_index by 1, do that here as well.
Cc: stable@vger.kernel.org
Reported-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-rw-r--r-- | net/wireless/nl80211.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 25d217d90807..3fcba69817e5 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c | |||
@@ -441,10 +441,12 @@ static int nl80211_prepare_wdev_dump(struct sk_buff *skb, | |||
441 | goto out_unlock; | 441 | goto out_unlock; |
442 | } | 442 | } |
443 | *rdev = wiphy_to_dev((*wdev)->wiphy); | 443 | *rdev = wiphy_to_dev((*wdev)->wiphy); |
444 | cb->args[0] = (*rdev)->wiphy_idx; | 444 | /* 0 is the first index - add 1 to parse only once */ |
445 | cb->args[0] = (*rdev)->wiphy_idx + 1; | ||
445 | cb->args[1] = (*wdev)->identifier; | 446 | cb->args[1] = (*wdev)->identifier; |
446 | } else { | 447 | } else { |
447 | struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0]); | 448 | /* subtract the 1 again here */ |
449 | struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1); | ||
448 | struct wireless_dev *tmp; | 450 | struct wireless_dev *tmp; |
449 | 451 | ||
450 | if (!wiphy) { | 452 | if (!wiphy) { |