The function building probe-request IEs does not validate the band is
supported before dereferencing it. This can result in a panic when
all bands are traversed, as done during sched-scan start.
Warn when this happens and return an empty probe request. Also fix
sched-scan to not waste memory on unsupported bands.
Signed-off-by: Arik Nemtsov <[email protected]>
---
better? :)
net/mac80211/scan.c | 3 +++
net/mac80211/util.c | 2 ++
2 files changed, 5 insertions(+)
diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
index 379f178..1ff04f6 100644
--- a/net/mac80211/scan.c
+++ b/net/mac80211/scan.c
@@ -928,6 +928,9 @@ int ieee80211_request_sched_scan_start(struct ieee80211_sub_if_data *sdata,
}
for (i = 0; i < IEEE80211_NUM_BANDS; i++) {
+ if (!local->hw.wiphy->bands[i])
+ continue;
+
local->sched_scan_ies.ie[i] = kzalloc(2 +
IEEE80211_MAX_SSID_LEN +
local->scan_ies_len +
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 64493a7..596db0c 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -999,6 +999,8 @@ int ieee80211_build_preq_ies(struct ieee80211_local *local, u8 *buffer,
int ext_rates_len;
sband = local->hw.wiphy->bands[band];
+ if (WARN_ON_ONCE(!sband))
+ return 0;
pos = buffer;
--
1.7.9.5
On Mon, Jul 9, 2012 at 7:59 PM, Johannes Berg <[email protected]> wrote:
> On Mon, 2012-07-09 at 19:57 +0300, Arik Nemtsov wrote:
>> The function building probe-request IEs does not validate the band is
>> supported before dereferencing it. This can result in a panic when
>> all bands are traversed, as done during sched-scan start.
>>
>> Warn when this happens and return an empty probe request. Also fix
>> sched-scan to not waste memory on unsupported bands.
>>
>> Signed-off-by: Arik Nemtsov <[email protected]>
>> ---
>> better? :)
>
> Yeah I'll apply this :-)
>
> I do wonder though why we even bother building probe request IEs for a
> band if no channels from it are listed in the sched scan request.
It's a bit complicated to know this, because of how the request is
structured (have to traverse all the channels etc).
The memory waste is not so bad anyway I guess.
On Mon, Jul 9, 2012 at 8:09 PM, Johannes Berg <[email protected]> wrote:
> On Mon, 2012-07-09 at 20:04 +0300, Arik Nemtsov wrote:
>> On Mon, Jul 9, 2012 at 7:59 PM, Johannes Berg <[email protected]> wrote:
>> > On Mon, 2012-07-09 at 19:57 +0300, Arik Nemtsov wrote:
>> >> The function building probe-request IEs does not validate the band is
>> >> supported before dereferencing it. This can result in a panic when
>> >> all bands are traversed, as done during sched-scan start.
>> >>
>> >> Warn when this happens and return an empty probe request. Also fix
>> >> sched-scan to not waste memory on unsupported bands.
>> >>
>> >> Signed-off-by: Arik Nemtsov <[email protected]>
>> >> ---
>> >> better? :)
>> >
>> > Yeah I'll apply this :-)
>> >
>> > I do wonder though why we even bother building probe request IEs for a
>> > band if no channels from it are listed in the sched scan request.
>>
>> It's a bit complicated to know this, because of how the request is
>> structured (have to traverse all the channels etc).
>> The memory waste is not so bad anyway I guess.
>
> Yeah but we could just iterate all the channels and build the probe
> request IEs for each channel's band unless we did before? Anyway, it
> doesn't matter, something for another day maybe :)
Yea that's a possibility I guess. For another day :)
On Mon, 2012-07-09 at 19:57 +0300, Arik Nemtsov wrote:
> The function building probe-request IEs does not validate the band is
> supported before dereferencing it. This can result in a panic when
> all bands are traversed, as done during sched-scan start.
>
> Warn when this happens and return an empty probe request. Also fix
> sched-scan to not waste memory on unsupported bands.
>
> Signed-off-by: Arik Nemtsov <[email protected]>
> ---
> better? :)
Yeah I'll apply this :-)
I do wonder though why we even bother building probe request IEs for a
band if no channels from it are listed in the sched scan request.
johannes
On Mon, 2012-07-09 at 20:04 +0300, Arik Nemtsov wrote:
> On Mon, Jul 9, 2012 at 7:59 PM, Johannes Berg <[email protected]> wrote:
> > On Mon, 2012-07-09 at 19:57 +0300, Arik Nemtsov wrote:
> >> The function building probe-request IEs does not validate the band is
> >> supported before dereferencing it. This can result in a panic when
> >> all bands are traversed, as done during sched-scan start.
> >>
> >> Warn when this happens and return an empty probe request. Also fix
> >> sched-scan to not waste memory on unsupported bands.
> >>
> >> Signed-off-by: Arik Nemtsov <[email protected]>
> >> ---
> >> better? :)
> >
> > Yeah I'll apply this :-)
> >
> > I do wonder though why we even bother building probe request IEs for a
> > band if no channels from it are listed in the sched scan request.
>
> It's a bit complicated to know this, because of how the request is
> structured (have to traverse all the channels etc).
> The memory waste is not so bad anyway I guess.
Yeah but we could just iterate all the channels and build the probe
request IEs for each channel's band unless we did before? Anyway, it
doesn't matter, something for another day maybe :)
johannes