Return-path: Received: from unix.wroclaw.pl ([94.23.28.62]:58869 "EHLO unix.wroclaw.pl" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752208Ab1CZS1H (ORCPT ); Sat, 26 Mar 2011 14:27:07 -0400 From: Mariusz Kozlowski To: Johannes Berg Cc: "John W. Linville" , "David S. Miller" , linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Mariusz Kozlowski Subject: [PATCH] cfg80211:: fix possible NULL pointer dereference Date: Sat, 26 Mar 2011 19:26:55 +0100 Message-Id: <1301164015-7978-1-git-send-email-mk@lab.zgora.pl> Sender: linux-wireless-owner@vger.kernel.org List-ID: In cfg80211_inform_bss_frame() wiphy is first dereferenced on privsz initialisation and then it is checked for NULL. This patch fixes that. Signed-off-by: Mariusz Kozlowski --- net/wireless/scan.c | 13 ++++++++++--- 1 files changed, 10 insertions(+), 3 deletions(-) diff --git a/net/wireless/scan.c b/net/wireless/scan.c index ea427f4..300c11d 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -585,16 +585,23 @@ cfg80211_inform_bss_frame(struct wiphy *wiphy, struct cfg80211_internal_bss *res; size_t ielen = len - offsetof(struct ieee80211_mgmt, u.probe_resp.variable); - size_t privsz = wiphy->bss_priv_size; + size_t privsz; + + if (WARN_ON(!mgmt)) + return NULL; + + if (WARN_ON(!wiphy)) + return NULL; if (WARN_ON(wiphy->signal_type == CFG80211_SIGNAL_TYPE_UNSPEC && (signal < 0 || signal > 100))) return NULL; - if (WARN_ON(!mgmt || !wiphy || - len < offsetof(struct ieee80211_mgmt, u.probe_resp.variable))) + if (WARN_ON(len < offsetof(struct ieee80211_mgmt, u.probe_resp.variable))) return NULL; + privsz = wiphy->bss_priv_size; + res = kzalloc(sizeof(*res) + privsz + ielen, gfp); if (!res) return NULL; -- 1.7.0.4