projects / openwrt / staging / pepe2k.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
realtek: consistently flood RMA frames
[openwrt/staging/pepe2k.git] / package / kernel / mac80211 / patches / subsys / 350-mac80211-fix-memory-leaks-with-element-parsing.patch
1 From: Johannes Berg <johannes.berg@intel.com>
2 Date: Fri, 1 Oct 2021 21:11:08 +0200
3 Subject: [PATCH] mac80211: fix memory leaks with element parsing
4
5 commit 8223ac199a3849257e86ec27865dc63f034b1cf1 upstream.
6
7 My previous commit 5d24828d05f3 ("mac80211: always allocate
8 struct ieee802_11_elems") had a few bugs and leaked the new
9 allocated struct in a few error cases, fix that.
10
11 Fixes: 5d24828d05f3 ("mac80211: always allocate struct ieee802_11_elems")
12 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
13 Link: https://lore.kernel.org/r/20211001211108.9839928e42e0.Ib81ca187d3d3af7ed1bfeac2e00d08a4637c8025@changeid
14 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
15 ---
16
17 --- a/net/mac80211/agg-rx.c
18 +++ b/net/mac80211/agg-rx.c
19 @@ -499,13 +499,14 @@ void ieee80211_process_addba_request(str
20 elems = ieee802_11_parse_elems(mgmt->u.action.u.addba_req.variable,
21 ies_len, true, mgmt->bssid, NULL);
22 if (!elems || elems->parse_error)
23 - return;
24 + goto free;
25 }
26
27 __ieee80211_start_rx_ba_session(sta, dialog_token, timeout,
28 start_seq_num, ba_policy, tid,
29 buf_size, true, false,
30 elems ? elems->addba_ext_ie : NULL);
31 +free:
32 kfree(elems);
33 }
34
35 --- a/net/mac80211/ibss.c
36 +++ b/net/mac80211/ibss.c
37 @@ -1659,11 +1659,11 @@ void ieee80211_ibss_rx_queued_mgmt(struc
38 mgmt->u.action.u.chan_switch.variable,
39 ies_len, true, mgmt->bssid, NULL);
40
41 - if (!elems || elems->parse_error)
42 - break;
43 -
44 - ieee80211_rx_mgmt_spectrum_mgmt(sdata, mgmt, skb->len,
45 - rx_status, elems);
46 + if (elems && !elems->parse_error)
47 + ieee80211_rx_mgmt_spectrum_mgmt(sdata, mgmt,
48 + skb->len,
49 + rx_status,
50 + elems);
51 kfree(elems);
52 break;
53 }
54 --- a/net/mac80211/mlme.c
55 +++ b/net/mac80211/mlme.c
56 @@ -3374,8 +3374,10 @@ static bool ieee80211_assoc_success(stru
57 bss_ies = kmemdup(ies, sizeof(*ies) + ies->len,
58 GFP_ATOMIC);
59 rcu_read_unlock();
60 - if (!bss_ies)
61 - return false;
62 + if (!bss_ies) {
63 + ret = false;
64 + goto out;
65 + }
66
67 bss_elems = ieee802_11_parse_elems(bss_ies->data, bss_ies->len,
68 false, mgmt->bssid,
69 @@ -4358,13 +4360,11 @@ void ieee80211_sta_rx_queued_mgmt(struct
70 mgmt->u.action.u.chan_switch.variable,
71 ies_len, true, mgmt->bssid, NULL);
72
73 - if (!elems || elems->parse_error)
74 - break;
75 -
76 - ieee80211_sta_process_chanswitch(sdata,
77 - rx_status->mactime,
78 - rx_status->device_timestamp,
79 - elems, false);
80 + if (elems && !elems->parse_error)
81 + ieee80211_sta_process_chanswitch(sdata,
82 + rx_status->mactime,
83 + rx_status->device_timestamp,
84 + elems, false);
85 kfree(elems);
86 } else if (mgmt->u.action.category == WLAN_CATEGORY_PUBLIC) {
87 struct ieee802_11_elems *elems;
88 @@ -4384,17 +4384,17 @@ void ieee80211_sta_rx_queued_mgmt(struct
89 mgmt->u.action.u.ext_chan_switch.variable,
90 ies_len, true, mgmt->bssid, NULL);
91
92 - if (!elems || elems->parse_error)
93 - break;
94 + if (elems && !elems->parse_error) {
95 + /* for the handling code pretend it was an IE */
96 + elems->ext_chansw_ie =
97 + &mgmt->u.action.u.ext_chan_switch.data;
98 +
99 + ieee80211_sta_process_chanswitch(sdata,
100 + rx_status->mactime,
101 + rx_status->device_timestamp,
102 + elems, false);
103 + }
104
105 - /* for the handling code pretend this was also an IE */
106 - elems->ext_chansw_ie =
107 - &mgmt->u.action.u.ext_chan_switch.data;
108 -
109 - ieee80211_sta_process_chanswitch(sdata,
110 - rx_status->mactime,
111 - rx_status->device_timestamp,
112 - elems, false);
113 kfree(elems);
114 }
115 break;
Staging tree of Piotr Dymacz