Message-ID: <c6e52470551dc7802a36c5080c6c61a2ad625e7f.camel@sipsolutions.net>
Subject: Re: [PATCH v2] mac80211: mlme: check for null after calling kmemdup
From:   Johannes Berg <johannes@sipsolutions.net>
To:     Jiasheng Jiang <jiasheng@iscas.ac.cn>, davem@davemloft.net,
        kuba@kernel.org
Cc:     linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org
Date:   Wed, 05 Jan 2022 08:49:22 +0100
In-Reply-To: <20220105013308.2011586-1-jiasheng@iscas.ac.cn>
References: <20220105013308.2011586-1-jiasheng@iscas.ac.cn>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.42.2 (3.42.2-1.fc35) 
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Precedence: bulk

On Wed, 2022-01-05 at 09:33 +0800, Jiasheng Jiang wrote:
> As the possible failure of the alloc, the ifmgd->assoc_req_ies might be
> NULL pointer returned from kmemdup().
> Therefore it might be better to free the skb and return in order to fail
> the association, like ieee80211_assoc_success().
> 
> Fixes: 4d9ec73d2b78 ("cfg80211: Report Association Request frame IEs in association events")
> Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
> ---
> v2: Change to fail the association if kmemdup returns NULL.
> ---
>  net/mac80211/mlme.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
> index 9bed6464c5bd..b5dfdf953286 100644
> --- a/net/mac80211/mlme.c
> +++ b/net/mac80211/mlme.c
> @@ -1058,6 +1058,11 @@ static void ieee80211_send_assoc(struct ieee80211_sub_if_data *sdata)
>  	pos = skb_tail_pointer(skb);
>  	kfree(ifmgd->assoc_req_ies);
>  	ifmgd->assoc_req_ies = kmemdup(ie_start, pos - ie_start, GFP_ATOMIC);
> +	if (!ifmgd->assoc_req_ies) {
> +		dev_kfree_skb(skb);
> +		return;
> +	}
> 

That doesn't fail, that just doesn't send the frame and will then time
out later, not very useful?

johannes