2014-01-14 13:15:34

by Ilan Peer

Subject: [PATCH] cfg80211: fix few minor issues in reg_process_hint()

Fix the following issues in reg_process_hint():

1. Add verification that wiphy is valid before processing
NL80211_REGDOMAIN_SET_BY_COUNTRY_IE.
2. Free the request in case of invalid initiator.
3. Remove WARN_ON check on reg_request->alpha2 as it is not a
pointer.

Signed-off-by: Ilan Peer <[email protected]>
---
net/wireless/reg.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index 9b897fc..484facf 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -1683,17 +1683,9 @@ static void reg_process_hint(struct regulatory_request *reg_request)
struct wiphy *wiphy = NULL;
enum reg_request_treatment treatment;

- if (WARN_ON(!reg_request->alpha2))
- return;
-
if (reg_request->wiphy_idx != WIPHY_IDX_INVALID)
wiphy = wiphy_idx_to_wiphy(reg_request->wiphy_idx);

- if (reg_request->initiator == NL80211_REGDOM_SET_BY_DRIVER && !wiphy) {
- kfree(reg_request);
- return;
- }
-
switch (reg_request->initiator) {
case NL80211_REGDOM_SET_BY_CORE:
reg_process_hint_core(reg_request);
@@ -1706,20 +1698,29 @@ static void reg_process_hint(struct regulatory_request *reg_request)
schedule_delayed_work(&reg_timeout, msecs_to_jiffies(3142));
return;
case NL80211_REGDOM_SET_BY_DRIVER:
+ if (!wiphy)
+ goto out_free;
treatment = reg_process_hint_driver(wiphy, reg_request);
break;
case NL80211_REGDOM_SET_BY_COUNTRY_IE:
+ if (!wiphy)
+ goto out_free;
treatment = reg_process_hint_country_ie(wiphy, reg_request);
break;
default:
WARN(1, "invalid initiator %d\n", reg_request->initiator);
- return;
+ goto out_free;
}

/* This is required so that the orig_* parameters are saved */
if (treatment == REG_REQ_ALREADY_SET && wiphy &&
wiphy->regulatory_flags & REGULATORY_STRICT_REG)
wiphy_update_regulatory(wiphy, reg_request->initiator);
+
+ return;
+
+out_free:
+ kfree(reg_request);
}

/*
--
1.7.10.4

2014-01-20 10:29:37

by Johannes Berg

Subject: Re: [PATCH] cfg80211: fix few minor issues in reg_process_hint()

On Tue, 2014-01-14 at 15:17 +0200, Ilan Peer wrote:
> Fix the following issues in reg_process_hint():
>
> 1. Add verification that wiphy is valid before processing
> NL80211_REGDOMAIN_SET_BY_COUNTRY_IE.
> 2. Free the request in case of invalid initiator.
> 3. Remove WARN_ON check on reg_request->alpha2 as it is not a
> pointer.

Applied.

It's not clear to me that we don't leak anywhere else, and that the
wiphy_update_regulatory() call can't be a use-after-free?

johannes