diff options
author | Mariusz Kozlowski <mk@lab.zgora.pl> | 2011-03-26 14:26:55 -0400 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2011-03-28 15:42:02 -0400 |
commit | bef9bacc4ec7ea6a02876164cd6ccaa4759edce4 (patch) | |
tree | e68100ba3efa0ce2a13636027565f422e55bbd95 /net/wireless/scan.c | |
parent | 67aa030c0dff6095128bcb4e8043b48360f32331 (diff) |
cfg80211:: fix possible NULL pointer dereference
In cfg80211_inform_bss_frame() wiphy is first dereferenced on privsz
initialisation and then it is checked for NULL. This patch fixes that.
Signed-off-by: Mariusz Kozlowski <mk@lab.zgora.pl>
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'net/wireless/scan.c')
-rw-r--r-- | net/wireless/scan.c | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/net/wireless/scan.c b/net/wireless/scan.c index ea427f418f64..300c11d99997 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c | |||
@@ -585,16 +585,23 @@ cfg80211_inform_bss_frame(struct wiphy *wiphy, | |||
585 | struct cfg80211_internal_bss *res; | 585 | struct cfg80211_internal_bss *res; |
586 | size_t ielen = len - offsetof(struct ieee80211_mgmt, | 586 | size_t ielen = len - offsetof(struct ieee80211_mgmt, |
587 | u.probe_resp.variable); | 587 | u.probe_resp.variable); |
588 | size_t privsz = wiphy->bss_priv_size; | 588 | size_t privsz; |
589 | |||
590 | if (WARN_ON(!mgmt)) | ||
591 | return NULL; | ||
592 | |||
593 | if (WARN_ON(!wiphy)) | ||
594 | return NULL; | ||
589 | 595 | ||
590 | if (WARN_ON(wiphy->signal_type == CFG80211_SIGNAL_TYPE_UNSPEC && | 596 | if (WARN_ON(wiphy->signal_type == CFG80211_SIGNAL_TYPE_UNSPEC && |
591 | (signal < 0 || signal > 100))) | 597 | (signal < 0 || signal > 100))) |
592 | return NULL; | 598 | return NULL; |
593 | 599 | ||
594 | if (WARN_ON(!mgmt || !wiphy || | 600 | if (WARN_ON(len < offsetof(struct ieee80211_mgmt, u.probe_resp.variable))) |
595 | len < offsetof(struct ieee80211_mgmt, u.probe_resp.variable))) | ||
596 | return NULL; | 601 | return NULL; |
597 | 602 | ||
603 | privsz = wiphy->bss_priv_size; | ||
604 | |||
598 | res = kzalloc(sizeof(*res) + privsz + ielen, gfp); | 605 | res = kzalloc(sizeof(*res) + privsz + ielen, gfp); |
599 | if (!res) | 606 | if (!res) |
600 | return NULL; | 607 | return NULL; |