Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp4414097pxa; Mon, 10 Aug 2020 08:32:08 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyf1zqCHVoEYNV/rZKM49j15Z/4RLBYWz92yKMK5jAL7557UNCQj+zcZr6evqpr9iZVxUYX X-Received: by 2002:aa7:d410:: with SMTP id z16mr21188824edq.287.1597073528430; Mon, 10 Aug 2020 08:32:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597073528; cv=none; d=google.com; s=arc-20160816; b=BcsmQBcodEj3P3vjdRNfD+JUOljRqZdXCKJdjMZBrg+cdkUHvW8liroohF5xhSkwrI 9v7b4xamHQsmDFqtnpO/vC7exeHhQE1/QGXx8R4n2YfFlfcGd0tHmY8tCKq314ulwpoa eLUST+yRZv8Bgt4NnDziD3MlVZR4lmVkxDm2z/io7HFOuSE0lz+E8irgHqmKoM5Jyx32 gPa+F4RR5V9Z5Xf/weceJ24FOt9GZEb3tbKNJ4iIjtjJFckp11ZDIeYbVj+kp5o4nj6h RZfHKZFrFlwPa01uoiRpCukFYS4l6EaAjnKN51A5xMxsmq3RfgUuksGTKUTowQcu8zwJ jahg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=+CeM84+NRZ5mZs+ThAoPAlBO4jDQpz3BV+x6I7ICMSc=; b=TiCVc53jAP1sw4UYxK+PYciw5b8N/BlVQqwjlXAWyKOWlpgdhyV5Oad92rP5Eegu4A WKgLEdwWtx8dQjN5Lu08BkCOAZQx7XDD9AePqxnXnSSAmU52ulgZzzIrvHiJQkel7gL0 BjGJOp97V1Kl/38WcJ4pCPoFUPPYR3rUx0TvI+jWUbvcel1v/vexFLzijLqf/VmfB1+8 qcz/ZjZVIxX5NYpCo78DWDifeDVBVXp+lmb0j9LPiYB5/eKCtokAw1TtlCSLfwww18V4 1QbK+hfBSDDibPn7uBE6m3omZYVBacYsT4CvyOj59HWiWPuOrVbkJwPZK70m6oBzP16i l/lw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=0wAyRxjw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z22si11409034ejl.459.2020.08.10.08.31.45; Mon, 10 Aug 2020 08:32:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=0wAyRxjw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729193AbgHJPbR (ORCPT + 99 others); Mon, 10 Aug 2020 11:31:17 -0400 Received: from mail.kernel.org ([198.145.29.99]:38504 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729179AbgHJPbM (ORCPT ); Mon, 10 Aug 2020 11:31:12 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 057042080C; Mon, 10 Aug 2020 15:31:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073471; bh=AGdYApRkl/MI0MZX28LEMG91c/WjS4eEBNI1jcaazac=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=0wAyRxjwotSK+3FfgcMq3EUr5LcL/nVgTAegCeTmKHIhCIpzIPNJytX8I8BIjmWVo aA449lNyARGhydhOmtSv9UQLI6b/dcrrPAP+EKuwY7bWIfBLE5lK4u82wnYGifWF3y iokRwIz5JcPKOUt36caf0f2xTP5UXyah9zaphM1c= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Julian Squires , Johannes Berg , Sasha Levin Subject: [PATCH 4.19 26/48] cfg80211: check vendor command doit pointer before use Date: Mon, 10 Aug 2020 17:21:48 +0200 Message-Id: <20200810151805.502158557@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200810151804.199494191@linuxfoundation.org> References: <20200810151804.199494191@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Julian Squires [ Upstream commit 4052d3d2e8f47a15053320bbcbe365d15610437d ] In the case where a vendor command does not implement doit, and has no flags set, doit would not be validated and a NULL pointer dereference would occur, for example when invoking the vendor command via iw. I encountered this while developing new vendor commands. Perhaps in practice it is advisable to always implement doit along with dumpit, but it seems reasonable to me to always check doit anyway, not just when NEED_WDEV. Signed-off-by: Julian Squires Link: https://lore.kernel.org/r/20200706211353.2366470-1-julian@cipht.net Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin --- net/wireless/nl80211.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 0221849b72180..996b68b48a878 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -12392,13 +12392,13 @@ static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info) if (!wdev_running(wdev)) return -ENETDOWN; } - - if (!vcmd->doit) - return -EOPNOTSUPP; } else { wdev = NULL; } + if (!vcmd->doit) + return -EOPNOTSUPP; + if (info->attrs[NL80211_ATTR_VENDOR_DATA]) { data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]); len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]); -- 2.25.1