In the implementation of cfg80211_inform_single_bss_frame_data() the
allocated memory for ies is leaked in case of an error. Release ies if
cfg80211_bss_update() fails.
Fixes: 2a5193119269 ("cfg80211/nl80211: scanning (and mac80211 update to use it)")
Signed-off-by: Navid Emamdoost <[email protected]>
---
net/wireless/scan.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index aef240fdf8df..fae5af24f668 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -1856,8 +1856,10 @@ cfg80211_inform_single_bss_frame_data(struct wiphy *wiphy,
wiphy->max_adj_channel_rssi_comp;
res = cfg80211_bss_update(wiphy_to_rdev(wiphy), &tmp, signal_valid,
jiffies);
- if (!res)
+ if (!res) {
+ kfree(ies);
return NULL;
+ }
if (channel->band == NL80211_BAND_60GHZ) {
bss_type = res->pub.capability & WLAN_CAPABILITY_DMG_TYPE_MASK;
--
2.17.1
On Sun, 2019-10-27 at 13:15 -0500, Navid Emamdoost wrote:
> In the implementation of cfg80211_inform_single_bss_frame_data() the
> allocated memory for ies is leaked in case of an error. Release ies if
> cfg80211_bss_update() fails.
I'm pretty sure it's more complicated than this patch (and the previous
one) - we already do free this at least in the case that "new =
kzalloc(...)" fails in cfg80211_bss_update().
Your Fixes: tag is also wrong, back then we didn't even have the dynamic
allocation of the IEs.
I'm dropping this patch and the other and will make a note to eventually
look at the lifetime issue here you point out, but if you want to work
on it instead let me know.
johannes
On Mon, Oct 28, 2019 at 7:12 AM Johannes Berg <[email protected]> wrote:
>
> On Sun, 2019-10-27 at 13:15 -0500, Navid Emamdoost wrote:
> > In the implementation of cfg80211_inform_single_bss_frame_data() the
> > allocated memory for ies is leaked in case of an error. Release ies if
> > cfg80211_bss_update() fails.
>
> I'm pretty sure it's more complicated than this patch (and the previous
> one) - we already do free this at least in the case that "new =
> kzalloc(...)" fails in cfg80211_bss_update().
Now I agree, there are two cases of release for ies in cfg80211_bss_update().
But for future reference, I suspect the last two cases of goto drop to
be mishandling ies.
>
> Your Fixes: tag is also wrong, back then we didn't even have the dynamic
> allocation of the IEs.
>
> I'm dropping this patch and the other and will make a note to eventually
> look at the lifetime issue here you point out, but if you want to work
> on it instead let me know.
>
> johannes
>
--
Navid.