aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/net/wireless/mwifiex/scan.c
diff options
context:
space:
mode:
authorBing Zhao <bzhao@marvell.com>2013-04-12 13:34:17 -0400
committerJohn W. Linville <linville@tuxdriver.com>2013-04-22 15:38:35 -0400
commitd837a2ae40fd37bcbb5a42126e3d89c68c90fccc (patch)
treed952e47adcbfbb9c7797b5593149df161de3f4e6 /drivers/net/wireless/mwifiex/scan.c
parent8bc77a4d2c8ca3c07d74465a3738bf60a4e5de41 (diff)
mwifiex: fix use-after-free in beacon_ie processing
beacon_ie buffer is allocated in mwifiex_fill_new_bss_desc() and the buffer pointer is saved in bss_desc->beacon_buf. beacon_ie is freed before the function returns. However, bss_desc->beacon_buf is still being accessed afterwards. Fix it by freeing beacon_ie (bss_desc->beacon_buf) in caller's scope. Reviewed-by: Doug Anderson <dianders@chromium.org> Reviewed-by: Paul Stewart <pstew@chromium.org> Signed-off-by: Bing Zhao <bzhao@marvell.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers/net/wireless/mwifiex/scan.c')
-rw-r--r--drivers/net/wireless/mwifiex/scan.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/drivers/net/wireless/mwifiex/scan.c b/drivers/net/wireless/mwifiex/scan.c
index e7f6deaf715e..37b24e830844 100644
--- a/drivers/net/wireless/mwifiex/scan.c
+++ b/drivers/net/wireless/mwifiex/scan.c
@@ -1533,10 +1533,18 @@ static int mwifiex_update_curr_bss_params(struct mwifiex_private *priv,
1533 /* Make a copy of current BSSID descriptor */ 1533 /* Make a copy of current BSSID descriptor */
1534 memcpy(&priv->curr_bss_params.bss_descriptor, bss_desc, 1534 memcpy(&priv->curr_bss_params.bss_descriptor, bss_desc,
1535 sizeof(priv->curr_bss_params.bss_descriptor)); 1535 sizeof(priv->curr_bss_params.bss_descriptor));
1536
1537 /* The contents of beacon_ie will be copied to its own buffer
1538 * in mwifiex_save_curr_bcn()
1539 */
1536 mwifiex_save_curr_bcn(priv); 1540 mwifiex_save_curr_bcn(priv);
1537 spin_unlock_irqrestore(&priv->curr_bcn_buf_lock, flags); 1541 spin_unlock_irqrestore(&priv->curr_bcn_buf_lock, flags);
1538 1542
1539done: 1543done:
1544 /* beacon_ie buffer was allocated in function
1545 * mwifiex_fill_new_bss_desc(). Free it now.
1546 */
1547 kfree(bss_desc->beacon_buf);
1540 kfree(bss_desc); 1548 kfree(bss_desc);
1541 return 0; 1549 return 0;
1542} 1550}