aboutsummaryrefslogtreecommitdiffstats
path: root/net/wireless/scan.c
diff options
context:
space:
mode:
authorMariusz Kozlowski <mk@lab.zgora.pl>2011-03-26 14:26:55 -0400
committerJohn W. Linville <linville@tuxdriver.com>2011-03-28 15:42:02 -0400
commitbef9bacc4ec7ea6a02876164cd6ccaa4759edce4 (patch)
treee68100ba3efa0ce2a13636027565f422e55bbd95 /net/wireless/scan.c
parent67aa030c0dff6095128bcb4e8043b48360f32331 (diff)
cfg80211:: fix possible NULL pointer dereference
In cfg80211_inform_bss_frame() wiphy is first dereferenced on privsz initialisation and then it is checked for NULL. This patch fixes that. Signed-off-by: Mariusz Kozlowski <mk@lab.zgora.pl> Acked-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'net/wireless/scan.c')
-rw-r--r--net/wireless/scan.c13
1 files changed, 10 insertions, 3 deletions
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index ea427f418f64..300c11d99997 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -585,16 +585,23 @@ cfg80211_inform_bss_frame(struct wiphy *wiphy,
585 struct cfg80211_internal_bss *res; 585 struct cfg80211_internal_bss *res;
586 size_t ielen = len - offsetof(struct ieee80211_mgmt, 586 size_t ielen = len - offsetof(struct ieee80211_mgmt,
587 u.probe_resp.variable); 587 u.probe_resp.variable);
588 size_t privsz = wiphy->bss_priv_size; 588 size_t privsz;
589
590 if (WARN_ON(!mgmt))
591 return NULL;
592
593 if (WARN_ON(!wiphy))
594 return NULL;
589 595
590 if (WARN_ON(wiphy->signal_type == CFG80211_SIGNAL_TYPE_UNSPEC && 596 if (WARN_ON(wiphy->signal_type == CFG80211_SIGNAL_TYPE_UNSPEC &&
591 (signal < 0 || signal > 100))) 597 (signal < 0 || signal > 100)))
592 return NULL; 598 return NULL;
593 599
594 if (WARN_ON(!mgmt || !wiphy || 600 if (WARN_ON(len < offsetof(struct ieee80211_mgmt, u.probe_resp.variable)))
595 len < offsetof(struct ieee80211_mgmt, u.probe_resp.variable)))
596 return NULL; 601 return NULL;
597 602
603 privsz = wiphy->bss_priv_size;
604
598 res = kzalloc(sizeof(*res) + privsz + ielen, gfp); 605 res = kzalloc(sizeof(*res) + privsz + ielen, gfp);
599 if (!res) 606 if (!res)
600 return NULL; 607 return NULL;