cfg80211:: fix possible NULL pointer dereference

In cfg80211_inform_bss_frame() wiphy is first dereferenced on privsz
initialisation and then it is checked for NULL. This patch fixes that.

Signed-off-by: Mariusz Kozlowski <mk@lab.zgora.pl>
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

1 files changed, 10 insertions, 3 deletions

diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index ea427f418f64..300c11d99997 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -585,16 +585,23 @@ cfg80211_inform_bss_frame(struct wiphy *wiphy,
         struct cfg80211_internal_bss *res;
         size_t ielen = len - offsetof(struct ieee80211_mgmt,
                                       u.probe_resp.variable);
-        size_t privsz = wiphy->bss_priv_size;
+        size_t privsz;
+
+        if (WARN_ON(!mgmt))
+                return NULL;
+
+        if (WARN_ON(!wiphy))
+                return NULL;
 
         if (WARN_ON(wiphy->signal_type == CFG80211_SIGNAL_TYPE_UNSPEC &&
                     (signal < 0 || signal > 100)))
                 return NULL;
 
-        if (WARN_ON(!mgmt || !wiphy ||
-                    len < offsetof(struct ieee80211_mgmt, u.probe_resp.variable)))
+        if (WARN_ON(len < offsetof(struct ieee80211_mgmt, u.probe_resp.variable)))
                 return NULL;
 
+        privsz = wiphy->bss_priv_size;
+
         res = kzalloc(sizeof(*res) + privsz + ielen, gfp);
         if (!res)
                 return NULL;