diff options
author | Johannes Berg <johannes@sipsolutions.net> | 2009-12-23 09:33:35 -0500 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2009-12-28 16:19:58 -0500 |
commit | 65486c8b30498dd274eea2c542696f22b63fe5b8 (patch) | |
tree | 4bcbeb24ce1655c275f2e1780cacefaf2b306781 | |
parent | befabac2d8e4925b97c5eebc78ecc4b2079fd9dd (diff) |
cfg80211: fix error path in cfg80211_wext_siwscan
If there's an invalid channel or SSID, the code leaks
the scan request. Always free the scan request, unless
it was successfully given to the driver.
Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Acked-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r-- | net/wireless/scan.c | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/net/wireless/scan.c b/net/wireless/scan.c index 12dfa62aad18..0c2cbbebca95 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c | |||
@@ -601,7 +601,7 @@ int cfg80211_wext_siwscan(struct net_device *dev, | |||
601 | struct cfg80211_registered_device *rdev; | 601 | struct cfg80211_registered_device *rdev; |
602 | struct wiphy *wiphy; | 602 | struct wiphy *wiphy; |
603 | struct iw_scan_req *wreq = NULL; | 603 | struct iw_scan_req *wreq = NULL; |
604 | struct cfg80211_scan_request *creq; | 604 | struct cfg80211_scan_request *creq = NULL; |
605 | int i, err, n_channels = 0; | 605 | int i, err, n_channels = 0; |
606 | enum ieee80211_band band; | 606 | enum ieee80211_band band; |
607 | 607 | ||
@@ -694,8 +694,10 @@ int cfg80211_wext_siwscan(struct net_device *dev, | |||
694 | /* translate "Scan for SSID" request */ | 694 | /* translate "Scan for SSID" request */ |
695 | if (wreq) { | 695 | if (wreq) { |
696 | if (wrqu->data.flags & IW_SCAN_THIS_ESSID) { | 696 | if (wrqu->data.flags & IW_SCAN_THIS_ESSID) { |
697 | if (wreq->essid_len > IEEE80211_MAX_SSID_LEN) | 697 | if (wreq->essid_len > IEEE80211_MAX_SSID_LEN) { |
698 | return -EINVAL; | 698 | err = -EINVAL; |
699 | goto out; | ||
700 | } | ||
699 | memcpy(creq->ssids[0].ssid, wreq->essid, wreq->essid_len); | 701 | memcpy(creq->ssids[0].ssid, wreq->essid, wreq->essid_len); |
700 | creq->ssids[0].ssid_len = wreq->essid_len; | 702 | creq->ssids[0].ssid_len = wreq->essid_len; |
701 | } | 703 | } |
@@ -707,12 +709,15 @@ int cfg80211_wext_siwscan(struct net_device *dev, | |||
707 | err = rdev->ops->scan(wiphy, dev, creq); | 709 | err = rdev->ops->scan(wiphy, dev, creq); |
708 | if (err) { | 710 | if (err) { |
709 | rdev->scan_req = NULL; | 711 | rdev->scan_req = NULL; |
710 | kfree(creq); | 712 | /* creq will be freed below */ |
711 | } else { | 713 | } else { |
712 | nl80211_send_scan_start(rdev, dev); | 714 | nl80211_send_scan_start(rdev, dev); |
715 | /* creq now owned by driver */ | ||
716 | creq = NULL; | ||
713 | dev_hold(dev); | 717 | dev_hold(dev); |
714 | } | 718 | } |
715 | out: | 719 | out: |
720 | kfree(creq); | ||
716 | cfg80211_unlock_rdev(rdev); | 721 | cfg80211_unlock_rdev(rdev); |
717 | return err; | 722 | return err; |
718 | } | 723 | } |