cfg80211: fix a crash in nl80211_send_station

mac80211 leaves sinfo->assoc_req_ies uninitialized, causing a random
pointer memory access in nl80211_send_station.
Instead of checking if the pointer is null, use sinfo->filled, like
the rest of the fields.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
index e95d3acaff0602f0f465904f4483d94e4f32dc8f..d048ed59647b4dda00278424d94ee12406057dc0 100644 (file)
--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -426,6 +426,7 @@ struct station_parameters {
  * @STATION_INFO_RX_BITRATE: @rxrate fields are filled
  * @STATION_INFO_BSS_PARAM: @bss_param filled
  * @STATION_INFO_CONNECTED_TIME: @connected_time filled
+ * @STATION_INFO_ASSOC_REQ_IES: @assoc_req_ies filled
  */
 enum station_info_flags {
        STATION_INFO_INACTIVE_TIME      = 1<<0,
@@ -444,7 +445,8 @@ enum station_info_flags {
        STATION_INFO_SIGNAL_AVG         = 1<<13,
        STATION_INFO_RX_BITRATE         = 1<<14,
        STATION_INFO_BSS_PARAM          = 1<<15,
-       STATION_INFO_CONNECTED_TIME     = 1<<16
+       STATION_INFO_CONNECTED_TIME     = 1<<16,
+       STATION_INFO_ASSOC_REQ_IES      = 1<<17
 };
 
 /**

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 33115be4936f3ec48db305b3bb271b4a776c6627..9d714f5213dd2f74246ae020fcfe6e25e370b071 100644 (file)
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -2209,7 +2209,7 @@ static int nl80211_send_station(struct sk_buff *msg, u32 pid, u32 seq,
        }
        nla_nest_end(msg, sinfoattr);
 
-       if (sinfo->assoc_req_ies)
+       if (sinfo->filled & STATION_INFO_ASSOC_REQ_IES)
                NLA_PUT(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
                        sinfo->assoc_req_ies);