Головна сторінка Огляд Довідка
Реєстрація Увійти
OpenWrt
/
openwrt
дзеркало https://github.com/openwrt/openwrt.git
2
0
Відгалуження 0
Файли Проблеми 0 Wiki
Дерево: 9f6cbc78cd
Гілки Теги
openwrt
/
package
/
kernel
/
mac80211
/
patches
/
subsys
/
350-mac80211-fix-memory-leaks-with-element-parsing.patch

350-mac80211-fix-memory-leaks-with-element-parsing.patch 3.5 KB
Історія Запис

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115 
  1. From: Johannes Berg <[email protected]>
    2. 

  2. Date: Fri, 1 Oct 2021 21:11:08 +0200
    3. 

  3. Subject: [PATCH] mac80211: fix memory leaks with element parsing
    4. 

  4. 

  5. commit 8223ac199a3849257e86ec27865dc63f034b1cf1 upstream.
    6. 

  6. 

  7. My previous commit 5d24828d05f3 ("mac80211: always allocate
    8. 

  8. struct ieee802_11_elems") had a few bugs and leaked the new
    9. 

  9. allocated struct in a few error cases, fix that.
    10. 

  10. 

  11. Fixes: 5d24828d05f3 ("mac80211: always allocate struct ieee802_11_elems")
    12. 

  12. Signed-off-by: Johannes Berg <[email protected]>
    13. 

  13. Link: https://lore.kernel.org/r/20211001211108.9839928e42e0.Ib81ca187d3d3af7ed1bfeac2e00d08a4637c8025@changeid
    14. 

  14. Signed-off-by: Johannes Berg <[email protected]>
    15. 

  15. ---
    16. 

  16. 

  17. --- a/net/mac80211/agg-rx.c
    18. 

  18. +++ b/net/mac80211/agg-rx.c
    19. 

  19. @@ -499,13 +499,14 @@ void ieee80211_process_addba_request(str
    20. 

  20.  		elems = ieee802_11_parse_elems(mgmt->u.action.u.addba_req.variable,
    21. 

  21.  					       ies_len, true, mgmt->bssid, NULL);
    22. 

  22.  		if (!elems || elems->parse_error)
    23. 

  23. -			return;
    24. 

  24. +			goto free;
    25. 

  25.  	}
    26. 

  26.  
    27. 

  27.  	__ieee80211_start_rx_ba_session(sta, dialog_token, timeout,
    28. 

  28.  					start_seq_num, ba_policy, tid,
    29. 

  29.  					buf_size, true, false,
    30. 

  30.  					elems ? elems->addba_ext_ie : NULL);
    31. 

  31. +free:
    32. 

  32.  	kfree(elems);
    33. 

  33.  }
    34. 

  34.  
    35. 

  35. --- a/net/mac80211/ibss.c
    36. 

  36. +++ b/net/mac80211/ibss.c
    37. 

  37. @@ -1659,11 +1659,11 @@ void ieee80211_ibss_rx_queued_mgmt(struc
    38. 

  38.  				mgmt->u.action.u.chan_switch.variable,
    39. 

  39.  				ies_len, true, mgmt->bssid, NULL);
    40. 

  40.  
    41. 

  41. -			if (!elems || elems->parse_error)
    42. 

  42. -				break;
    43. 

  43. -
    44. 

  44. -			ieee80211_rx_mgmt_spectrum_mgmt(sdata, mgmt, skb->len,
    45. 

  45. -							rx_status, elems);
    46. 

  46. +			if (elems && !elems->parse_error)
    47. 

  47. +				ieee80211_rx_mgmt_spectrum_mgmt(sdata, mgmt,
    48. 

  48. +								skb->len,
    49. 

  49. +								rx_status,
    50. 

  50. +								elems);
    51. 

  51.  			kfree(elems);
    52. 

  52.  			break;
    53. 

  53.  		}
    54. 

  54. --- a/net/mac80211/mlme.c
    55. 

  55. +++ b/net/mac80211/mlme.c
    56. 

  56. @@ -3374,8 +3374,10 @@ static bool ieee80211_assoc_success(stru
    57. 

  57.  			bss_ies = kmemdup(ies, sizeof(*ies) + ies->len,
    58. 

  58.  					  GFP_ATOMIC);
    59. 

  59.  		rcu_read_unlock();
    60. 

  60. -		if (!bss_ies)
    61. 

  61. -			return false;
    62. 

  62. +		if (!bss_ies) {
    63. 

  63. +			ret = false;
    64. 

  64. +			goto out;
    65. 

  65. +		}
    66. 

  66.  
    67. 

  67.  		bss_elems = ieee802_11_parse_elems(bss_ies->data, bss_ies->len,
    68. 

  68.  						   false, mgmt->bssid,
    69. 

  69. @@ -4358,13 +4360,11 @@ void ieee80211_sta_rx_queued_mgmt(struct
    70. 

  70.  					mgmt->u.action.u.chan_switch.variable,
    71. 

  71.  					ies_len, true, mgmt->bssid, NULL);
    72. 

  72.  
    73. 

  73. -			if (!elems || elems->parse_error)
    74. 

  74. -				break;
    75. 

  75. -
    76. 

  76. -			ieee80211_sta_process_chanswitch(sdata,
    77. 

  77. -						 rx_status->mactime,
    78. 

  78. -						 rx_status->device_timestamp,
    79. 

  79. -						 elems, false);
    80. 

  80. +			if (elems && !elems->parse_error)
    81. 

  81. +				ieee80211_sta_process_chanswitch(sdata,
    82. 

  82. +								 rx_status->mactime,
    83. 

  83. +								 rx_status->device_timestamp,
    84. 

  84. +								 elems, false);
    85. 

  85.  			kfree(elems);
    86. 

  86.  		} else if (mgmt->u.action.category == WLAN_CATEGORY_PUBLIC) {
    87. 

  87.  			struct ieee802_11_elems *elems;
    88. 

  88. @@ -4384,17 +4384,17 @@ void ieee80211_sta_rx_queued_mgmt(struct
    89. 

  89.  					mgmt->u.action.u.ext_chan_switch.variable,
    90. 

  90.  					ies_len, true, mgmt->bssid, NULL);
    91. 

  91.  
    92. 

  92. -			if (!elems || elems->parse_error)
    93. 

  93. -				break;
    94. 

  94. +			if (elems && !elems->parse_error) {
    95. 

  95. +				/* for the handling code pretend it was an IE */
    96. 

  96. +				elems->ext_chansw_ie =
    97. 

  97. +					&mgmt->u.action.u.ext_chan_switch.data;
    98. 

  98. +
    99. 

  99. +				ieee80211_sta_process_chanswitch(sdata,
    100. 

  100. +								 rx_status->mactime,
    101. 

  101. +								 rx_status->device_timestamp,
    102. 

  102. +								 elems, false);
    103. 

  103. +			}
    104. 

  104.  
    105. 

  105. -			/* for the handling code pretend this was also an IE */
    106. 

  106. -			elems->ext_chansw_ie =
    107. 

  107. -				&mgmt->u.action.u.ext_chan_switch.data;
    108. 

  108. -
    109. 

  109. -			ieee80211_sta_process_chanswitch(sdata,
    110. 

  110. -						 rx_status->mactime,
    111. 

  111. -						 rx_status->device_timestamp,
    112. 

  112. -						 elems, false);
    113. 

  113.  			kfree(elems);
    114. 

  114.  		}
    115. 

  115.  		break;
    116.