nl80211: Check nla_put_nested() return value and handle errors

Couple of functions did not verify that nla_put_nested() succeeded. Fix
these by checking the return value and handling error cases cleanly.

Signed-hostap: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2012-08-07 17:27:55 +03:00
parent 6afbc3d698
commit f0494d0f95

View file

@ -3479,23 +3479,15 @@ static int wpa_driver_nl80211_scan(void *priv,
{
struct i802_bss *bss = priv;
struct wpa_driver_nl80211_data *drv = bss->drv;
int ret = 0, timeout;
struct nl_msg *msg, *ssids, *freqs, *rates;
int ret = -1, timeout;
struct nl_msg *msg, *ssids = NULL, *freqs = NULL, *rates = NULL;
size_t i;
drv->scan_for_auth = 0;
msg = nlmsg_alloc();
ssids = nlmsg_alloc();
freqs = nlmsg_alloc();
rates = nlmsg_alloc();
if (!msg || !ssids || !freqs || !rates) {
nlmsg_free(msg);
nlmsg_free(ssids);
nlmsg_free(freqs);
nlmsg_free(rates);
if (!msg)
return -1;
}
os_free(drv->filter_ssids);
drv->filter_ssids = params->filter_ssids;
@ -3506,15 +3498,20 @@ static int wpa_driver_nl80211_scan(void *priv,
NLA_PUT_U32(msg, NL80211_ATTR_IFINDEX, drv->ifindex);
for (i = 0; i < params->num_ssids; i++) {
wpa_hexdump_ascii(MSG_MSGDUMP, "nl80211: Scan SSID",
params->ssids[i].ssid,
params->ssids[i].ssid_len);
NLA_PUT(ssids, i + 1, params->ssids[i].ssid_len,
params->ssids[i].ssid);
if (params->num_ssids) {
ssids = nlmsg_alloc();
if (ssids == NULL)
goto nla_put_failure;
for (i = 0; i < params->num_ssids; i++) {
wpa_hexdump_ascii(MSG_MSGDUMP, "nl80211: Scan SSID",
params->ssids[i].ssid,
params->ssids[i].ssid_len);
NLA_PUT(ssids, i + 1, params->ssids[i].ssid_len,
params->ssids[i].ssid);
}
if (nla_put_nested(msg, NL80211_ATTR_SCAN_SSIDS, ssids) < 0)
goto nla_put_failure;
}
if (params->num_ssids)
nla_put_nested(msg, NL80211_ATTR_SCAN_SSIDS, ssids);
if (params->extra_ies) {
wpa_hexdump(MSG_MSGDUMP, "nl80211: Scan extra IEs",
@ -3524,17 +3521,26 @@ static int wpa_driver_nl80211_scan(void *priv,
}
if (params->freqs) {
freqs = nlmsg_alloc();
if (freqs == NULL)
goto nla_put_failure;
for (i = 0; params->freqs[i]; i++) {
wpa_printf(MSG_MSGDUMP, "nl80211: Scan frequency %u "
"MHz", params->freqs[i]);
NLA_PUT_U32(freqs, i + 1, params->freqs[i]);
}
nla_put_nested(msg, NL80211_ATTR_SCAN_FREQUENCIES, freqs);
if (nla_put_nested(msg, NL80211_ATTR_SCAN_FREQUENCIES, freqs) <
0)
goto nla_put_failure;
}
if (params->p2p_probe) {
wpa_printf(MSG_DEBUG, "nl80211: P2P probe - mask SuppRates");
rates = nlmsg_alloc();
if (rates == NULL)
goto nla_put_failure;
/*
* Remove 2.4 GHz rates 1, 2, 5.5, 11 Mbps from supported rates
* by masking out everything else apart from the OFDM rates 6,
@ -3543,7 +3549,9 @@ static int wpa_driver_nl80211_scan(void *priv,
*/
NLA_PUT(rates, NL80211_BAND_2GHZ, 8,
"\x0c\x12\x18\x24\x30\x48\x60\x6c");
nla_put_nested(msg, NL80211_ATTR_SCAN_SUPP_RATES, rates);
if (nla_put_nested(msg, NL80211_ATTR_SCAN_SUPP_RATES, rates) <
0)
goto nla_put_failure;
NLA_PUT_FLAG(msg, NL80211_ATTR_TX_NO_CCK_RATE);
}
@ -5655,7 +5663,8 @@ static int wpa_driver_nl80211_sta_add(void *priv,
NLA_PUT_U8(wme, NL80211_STA_WME_MAX_SP,
(params->qosinfo > WMM_QOSINFO_STA_SP_SHIFT) &
WMM_QOSINFO_STA_SP_MASK);
nla_put_nested(msg, NL80211_ATTR_STA_WME, wme);
if (nla_put_nested(msg, NL80211_ATTR_STA_WME, wme) < 0)
goto nla_put_failure;
}
ret = send_and_recv_msgs(drv, msg, NULL, NULL);
@ -8466,6 +8475,7 @@ static int nl80211_signal_monitor(void *priv, int threshold, int hysteresis)
struct i802_bss *bss = priv;
struct wpa_driver_nl80211_data *drv = bss->drv;
struct nl_msg *msg, *cqm = NULL;
int ret = -1;
wpa_printf(MSG_DEBUG, "nl80211: Signal monitor threshold=%d "
"hysteresis=%d", threshold, hysteresis);
@ -8484,19 +8494,16 @@ static int nl80211_signal_monitor(void *priv, int threshold, int hysteresis)
NLA_PUT_U32(cqm, NL80211_ATTR_CQM_RSSI_THOLD, threshold);
NLA_PUT_U32(cqm, NL80211_ATTR_CQM_RSSI_HYST, hysteresis);
nla_put_nested(msg, NL80211_ATTR_CQM, cqm);
if (nla_put_nested(msg, NL80211_ATTR_CQM, cqm) < 0)
goto nla_put_failure;
nlmsg_free(cqm);
cqm = NULL;
if (send_and_recv_msgs(drv, msg, NULL, NULL) == 0)
return 0;
ret = send_and_recv_msgs(drv, msg, NULL, NULL);
msg = NULL;
nla_put_failure:
nlmsg_free(cqm);
nlmsg_free(msg);
return -1;
return ret;
}