Accueil Explorer Aide
S'inscrire Connexion
OpenWrt
/
openwrt
miroir de https://github.com/openwrt/openwrt.git
2
0
Fork 0
Fichiers Tickets 0 Wiki
Parcourir la source

mac80211: brcmfmac: fix use-after-free & possible NULL pointer dereference

1) Using fwctx variable after brcmf_fw_request_done() was executed meant
   accessing freed memory.
2) Using fwctx->completion for the wait_for_completion_timeout() call
   could reuslt in NULL pointer dereference on fw loading error or if
   brcmf_fw_request_done() was executed quickly enough.

Signed-off-by: Rafał Miłecki <[email protected]>
Rafał Miłecki il y a 6 ans
Parent
630d8b87a5
commit
529c95cc15
1 fichiers modifiés avec 2 ajouts et 3 suppressions
Vue séparée Afficher les stats Diff
  1. 2 3
      package/kernel/mac80211/patches/brcm/860-brcmfmac-register-wiphy-s-during-module_init.patch

+ 2 - 3
package/kernel/mac80211/patches/brcm/860-brcmfmac-register-wiphy-s-during-module_init.patch
Voir le fichier 

@@ -58,12 +58,11 @@ Signed-off-by: Rafał Miłecki <[email protected]>
 
  
  	ret = request_firmware_nowait(THIS_MODULE, true, first->path,
 
  				      fwctx->dev, GFP_KERNEL, fwctx,
 
-@@ -696,6 +703,9 @@ int brcmf_fw_get_firmwares(struct device
 
+@@ -696,6 +703,8 @@ int brcmf_fw_get_firmwares(struct device
 
  	if (ret < 0)
 
  		brcmf_fw_request_done(NULL, fwctx);
 
  
-+	wait_for_completion_timeout(fwctx->completion, msecs_to_jiffies(5000));
 
-+	fwctx->completion = NULL;
 
++	wait_for_completion_timeout(&completion, msecs_to_jiffies(5000));
 
 +
 
  	return 0;
 
  }