aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJohannes Berg <johannes@sipsolutions.net>2009-12-23 09:33:35 -0500
committerJohn W. Linville <linville@tuxdriver.com>2009-12-28 16:19:58 -0500
commit65486c8b30498dd274eea2c542696f22b63fe5b8 (patch)
tree4bcbeb24ce1655c275f2e1780cacefaf2b306781
parentbefabac2d8e4925b97c5eebc78ecc4b2079fd9dd (diff)
cfg80211: fix error path in cfg80211_wext_siwscan
If there's an invalid channel or SSID, the code leaks the scan request. Always free the scan request, unless it was successfully given to the driver. Reported-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Acked-by: Dan Carpenter <error27@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r--net/wireless/scan.c13
1 files changed, 9 insertions, 4 deletions
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 12dfa62aad18..0c2cbbebca95 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -601,7 +601,7 @@ int cfg80211_wext_siwscan(struct net_device *dev,
601 struct cfg80211_registered_device *rdev; 601 struct cfg80211_registered_device *rdev;
602 struct wiphy *wiphy; 602 struct wiphy *wiphy;
603 struct iw_scan_req *wreq = NULL; 603 struct iw_scan_req *wreq = NULL;
604 struct cfg80211_scan_request *creq; 604 struct cfg80211_scan_request *creq = NULL;
605 int i, err, n_channels = 0; 605 int i, err, n_channels = 0;
606 enum ieee80211_band band; 606 enum ieee80211_band band;
607 607
@@ -694,8 +694,10 @@ int cfg80211_wext_siwscan(struct net_device *dev,
694 /* translate "Scan for SSID" request */ 694 /* translate "Scan for SSID" request */
695 if (wreq) { 695 if (wreq) {
696 if (wrqu->data.flags & IW_SCAN_THIS_ESSID) { 696 if (wrqu->data.flags & IW_SCAN_THIS_ESSID) {
697 if (wreq->essid_len > IEEE80211_MAX_SSID_LEN) 697 if (wreq->essid_len > IEEE80211_MAX_SSID_LEN) {
698 return -EINVAL; 698 err = -EINVAL;
699 goto out;
700 }
699 memcpy(creq->ssids[0].ssid, wreq->essid, wreq->essid_len); 701 memcpy(creq->ssids[0].ssid, wreq->essid, wreq->essid_len);
700 creq->ssids[0].ssid_len = wreq->essid_len; 702 creq->ssids[0].ssid_len = wreq->essid_len;
701 } 703 }
@@ -707,12 +709,15 @@ int cfg80211_wext_siwscan(struct net_device *dev,
707 err = rdev->ops->scan(wiphy, dev, creq); 709 err = rdev->ops->scan(wiphy, dev, creq);
708 if (err) { 710 if (err) {
709 rdev->scan_req = NULL; 711 rdev->scan_req = NULL;
710 kfree(creq); 712 /* creq will be freed below */
711 } else { 713 } else {
712 nl80211_send_scan_start(rdev, dev); 714 nl80211_send_scan_start(rdev, dev);
715 /* creq now owned by driver */
716 creq = NULL;
713 dev_hold(dev); 717 dev_hold(dev);
714 } 718 }
715 out: 719 out:
720 kfree(creq);
716 cfg80211_unlock_rdev(rdev); 721 cfg80211_unlock_rdev(rdev);
717 return err; 722 return err;
718} 723}