LinuxLists.cc - [PATCH] staging: wilc1000: fix NULL dereference inside wilc

2018-12-15 02:32:35

Subject: [PATCH] staging: wilc1000: fix NULL dereference inside wilc_scan()

From: Ajay Singh <[email protected]>

Added NULL check before accessing 'hidden_net' pointer inside
wilc_scan() to fix the issue found by static code checker.

Fixes: 8f1a0ac1eba7 ("staging: wilc1000: handle scan operation callback from cfg80211 context")
Reported-by: Dan Carpenter <[email protected]>
Signed-off-by: Ajay Singh <[email protected]>
---
drivers/staging/wilc1000/host_interface.c | 48 +++++++++++++++++--------------
1 file changed, 26 insertions(+), 22 deletions(-)

diff --git a/drivers/staging/wilc1000/host_interface.c b/drivers/staging/wilc1000/host_interface.c
index b8603f2..70c854d 100644
--- a/drivers/staging/wilc1000/host_interface.c
+++ b/drivers/staging/wilc1000/host_interface.c
@@ -246,27 +246,29 @@ int wilc_scan(struct wilc_vif *vif, u8 scan_source, u8 scan_type,

hif_drv->usr_scan_req.ch_cnt = 0;

- wid_list[index].id = WID_SSID_PROBE_REQ;
- wid_list[index].type = WID_STR;
-
- for (i = 0; i < hidden_net->n_ssids; i++)
- valuesize += ((hidden_net->net_info[i].ssid_len) + 1);
- hdn_ntwk_wid_val = kmalloc(valuesize + 1, GFP_KERNEL);
- wid_list[index].val = hdn_ntwk_wid_val;
- if (wid_list[index].val) {
- buffer = wid_list[index].val;
-
- *buffer++ = hidden_net->n_ssids;
-
- for (i = 0; i < hidden_net->n_ssids; i++) {
- *buffer++ = hidden_net->net_info[i].ssid_len;
- memcpy(buffer, hidden_net->net_info[i].ssid,
- hidden_net->net_info[i].ssid_len);
- buffer += hidden_net->net_info[i].ssid_len;
- }
+ if (hidden_net) {
+ wid_list[index].id = WID_SSID_PROBE_REQ;
+ wid_list[index].type = WID_STR;
+
+ for (i = 0; i < hidden_net->n_ssids; i++)
+ valuesize += ((hidden_net->net_info[i].ssid_len) + 1);
+ hdn_ntwk_wid_val = kmalloc(valuesize + 1, GFP_KERNEL);
+ wid_list[index].val = hdn_ntwk_wid_val;
+ if (wid_list[index].val) {
+ buffer = wid_list[index].val;
+
+ *buffer++ = hidden_net->n_ssids;
+
+ for (i = 0; i < hidden_net->n_ssids; i++) {
+ *buffer++ = hidden_net->net_info[i].ssid_len;
+ memcpy(buffer, hidden_net->net_info[i].ssid,
+ hidden_net->net_info[i].ssid_len);
+ buffer += hidden_net->net_info[i].ssid_len;
+ }

- wid_list[index].size = (s32)(valuesize + 1);
- index++;
+ wid_list[index].size = (s32)(valuesize + 1);
+ index++;
+ }
}

wid_list[index].id = WID_INFO_ELEMENT_PROBE;
@@ -316,8 +318,10 @@ int wilc_scan(struct wilc_vif *vif, u8 scan_source, u8 scan_type,
jiffies + msecs_to_jiffies(HOST_IF_SCAN_TIMEOUT));

error:
- kfree(hidden_net->net_info);
- kfree(hdn_ntwk_wid_val);
+ if (hidden_net) {
+ kfree(hidden_net->net_info);
+ kfree(hdn_ntwk_wid_val);
+ }

return result;
}
--
2.7.4