diff options
author | Mariusz Kozlowski <mk@lab.zgora.pl> | 2011-03-26 19:26:55 +0100 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2011-03-28 15:42:02 -0400 |
commit | bef9bacc4ec7ea6a02876164cd6ccaa4759edce4 (patch) | |
tree | e68100ba3efa0ce2a13636027565f422e55bbd95 | |
parent | 67aa030c0dff6095128bcb4e8043b48360f32331 (diff) |
cfg80211:: fix possible NULL pointer dereference
In cfg80211_inform_bss_frame() wiphy is first dereferenced on privsz
initialisation and then it is checked for NULL. This patch fixes that.
Signed-off-by: Mariusz Kozlowski <mk@lab.zgora.pl>
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r-- | net/wireless/scan.c | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/net/wireless/scan.c b/net/wireless/scan.c index ea427f418f6..300c11d9999 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -585,16 +585,23 @@ cfg80211_inform_bss_frame(struct wiphy *wiphy, struct cfg80211_internal_bss *res; size_t ielen = len - offsetof(struct ieee80211_mgmt, u.probe_resp.variable); - size_t privsz = wiphy->bss_priv_size; + size_t privsz; + + if (WARN_ON(!mgmt)) + return NULL; + + if (WARN_ON(!wiphy)) + return NULL; if (WARN_ON(wiphy->signal_type == CFG80211_SIGNAL_TYPE_UNSPEC && (signal < 0 || signal > 100))) return NULL; - if (WARN_ON(!mgmt || !wiphy || - len < offsetof(struct ieee80211_mgmt, u.probe_resp.variable))) + if (WARN_ON(len < offsetof(struct ieee80211_mgmt, u.probe_resp.variable))) return NULL; + privsz = wiphy->bss_priv_size; + res = kzalloc(sizeof(*res) + privsz + ielen, gfp); if (!res) return NULL; |