nl80211: Fix use-after-free in qca_nl80211_get_features()
Any data accessible from nla_data() is freed before the send_and_recv_msgs() function returns, therefore we need to allocate space for info.flags ourselves. Signed-off-by: Paul Stewart <pstew@google.com>
This commit is contained in:
parent
61854f16ec
commit
fdc1188a85
1 changed files with 7 additions and 2 deletions
|
@ -904,8 +904,12 @@ static int features_info_handler(struct nl_msg *msg, void *arg)
|
||||||
|
|
||||||
attr = tb_vendor[QCA_WLAN_VENDOR_ATTR_FEATURE_FLAGS];
|
attr = tb_vendor[QCA_WLAN_VENDOR_ATTR_FEATURE_FLAGS];
|
||||||
if (attr) {
|
if (attr) {
|
||||||
info->flags = nla_data(attr);
|
int len = nla_len(attr);
|
||||||
info->flags_len = nla_len(attr);
|
info->flags = os_malloc(len);
|
||||||
|
if (info->flags != NULL) {
|
||||||
|
os_memcpy(info->flags, nla_data(attr), len);
|
||||||
|
info->flags_len = len;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
attr = tb_vendor[QCA_WLAN_VENDOR_ATTR_CONCURRENCY_CAPA];
|
attr = tb_vendor[QCA_WLAN_VENDOR_ATTR_CONCURRENCY_CAPA];
|
||||||
if (attr)
|
if (attr)
|
||||||
|
@ -968,6 +972,7 @@ static void qca_nl80211_get_features(struct wpa_driver_nl80211_data *drv)
|
||||||
if (check_feature(QCA_WLAN_VENDOR_FEATURE_OFFCHANNEL_SIMULTANEOUS,
|
if (check_feature(QCA_WLAN_VENDOR_FEATURE_OFFCHANNEL_SIMULTANEOUS,
|
||||||
&info))
|
&info))
|
||||||
drv->capa.flags |= WPA_DRIVER_FLAGS_OFFCHANNEL_SIMULTANEOUS;
|
drv->capa.flags |= WPA_DRIVER_FLAGS_OFFCHANNEL_SIMULTANEOUS;
|
||||||
|
os_free(info.flags);
|
||||||
}
|
}
|
||||||
|
|
||||||
#endif /* CONFIG_DRIVER_NL80211_QCA */
|
#endif /* CONFIG_DRIVER_NL80211_QCA */
|
||||||
|
|
Loading…
Reference in a new issue