* [PATCH 1/4] nl80211: check nla_put_* return values
@ 2013-10-28 14:08 Johannes Berg
2013-10-28 14:08 ` [PATCH 2/4] nl80211: fix error path in nl80211_get_key() Johannes Berg
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Johannes Berg @ 2013-10-28 14:08 UTC (permalink / raw)
To: linux-wireless; +Cc: Johannes Berg
From: Johannes Berg <johannes.berg@intel.com>
Coverity pointed out that in a few functions we don't
check the return value of the nla_put_*() calls. Most
of these are fairly harmless because the input isn't
very dynamic and controlled by the kernel, but the
pattern is simply wrong, so fix this.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
net/wireless/nl80211.c | 52 +++++++++++++++++++++++++++++---------------------
1 file changed, 30 insertions(+), 22 deletions(-)
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 8ced6bc..1fef427 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -9633,8 +9633,9 @@ static int nl80211_add_scan_req(struct sk_buff *msg,
nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
goto nla_put_failure;
- if (req->flags)
- nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags);
+ if (req->flags &&
+ nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
+ goto nla_put_failure;
return 0;
nla_put_failure:
@@ -11118,16 +11119,18 @@ void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
wakeup->pattern_idx))
goto free_msg;
- if (wakeup->tcp_match)
- nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH);
+ if (wakeup->tcp_match &&
+ nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
+ goto free_msg;
- if (wakeup->tcp_connlost)
- nla_put_flag(msg,
- NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST);
+ if (wakeup->tcp_connlost &&
+ nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
+ goto free_msg;
- if (wakeup->tcp_nomoretokens)
- nla_put_flag(msg,
- NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS);
+ if (wakeup->tcp_nomoretokens &&
+ nla_put_flag(msg,
+ NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
+ goto free_msg;
if (wakeup->packet) {
u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
@@ -11263,24 +11266,29 @@ void cfg80211_ft_event(struct net_device *netdev,
return;
hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
- if (!hdr) {
- nlmsg_free(msg);
- return;
- }
+ if (!hdr)
+ goto out;
+
+ if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
+ nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
+ nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
+ goto out;
- nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx);
- nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex);
- nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap);
- if (ft_event->ies)
- nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies);
- if (ft_event->ric_ies)
- nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
- ft_event->ric_ies);
+ if (ft_event->ies &&
+ nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
+ goto out;
+ if (ft_event->ric_ies &&
+ nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
+ ft_event->ric_ies))
+ goto out;
genlmsg_end(msg, hdr);
genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
nl80211_mlme_mcgrp.id, GFP_KERNEL);
+ return;
+ out:
+ nlmsg_free(msg);
}
EXPORT_SYMBOL(cfg80211_ft_event);
--
1.8.4.rc3
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/4] nl80211: fix error path in nl80211_get_key()
2013-10-28 14:08 [PATCH 1/4] nl80211: check nla_put_* return values Johannes Berg
@ 2013-10-28 14:08 ` Johannes Berg
2013-10-28 14:08 ` [PATCH 3/4] nl80211: check nla_nest_start() return value Johannes Berg
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Johannes Berg @ 2013-10-28 14:08 UTC (permalink / raw)
To: linux-wireless; +Cc: Johannes Berg
From: Johannes Berg <johannes.berg@intel.com>
Coverity pointed out that in the (practically impossible)
error case we leak the message - fix this.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
net/wireless/nl80211.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 1fef427..22df144 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -2668,7 +2668,7 @@ static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
NL80211_CMD_NEW_KEY);
if (!hdr)
- return -ENOBUFS;
+ goto nla_put_failure;
cookie.msg = msg;
cookie.idx = key_idx;
--
1.8.4.rc3
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 3/4] nl80211: check nla_nest_start() return value
2013-10-28 14:08 [PATCH 1/4] nl80211: check nla_put_* return values Johannes Berg
2013-10-28 14:08 ` [PATCH 2/4] nl80211: fix error path in nl80211_get_key() Johannes Berg
@ 2013-10-28 14:08 ` Johannes Berg
2013-10-28 14:08 ` [PATCH 4/4] mac80211: remove useless tests for array Johannes Berg
2013-11-06 10:59 ` [PATCH 1/4] nl80211: check nla_put_* return values Johannes Berg
3 siblings, 0 replies; 5+ messages in thread
From: Johannes Berg @ 2013-10-28 14:08 UTC (permalink / raw)
To: linux-wireless; +Cc: Johannes Berg
From: Johannes Berg <johannes.berg@intel.com>
Coverity pointed out that we might dereference NULL later
if nla_nest_start() returns a failure. This isn't really
true since we'd bomb out before, but we should check the
return value directly, so do that.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
net/wireless/nl80211.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 22df144..99dc3f3 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -11094,6 +11094,8 @@ void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
struct nlattr *reasons;
reasons = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS);
+ if (!reasons)
+ goto free_msg;
if (wakeup->disconnect &&
nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
--
1.8.4.rc3
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 4/4] mac80211: remove useless tests for array
2013-10-28 14:08 [PATCH 1/4] nl80211: check nla_put_* return values Johannes Berg
2013-10-28 14:08 ` [PATCH 2/4] nl80211: fix error path in nl80211_get_key() Johannes Berg
2013-10-28 14:08 ` [PATCH 3/4] nl80211: check nla_nest_start() return value Johannes Berg
@ 2013-10-28 14:08 ` Johannes Berg
2013-11-06 10:59 ` [PATCH 1/4] nl80211: check nla_put_* return values Johannes Berg
3 siblings, 0 replies; 5+ messages in thread
From: Johannes Berg @ 2013-10-28 14:08 UTC (permalink / raw)
To: linux-wireless; +Cc: Johannes Berg
From: Johannes Berg <johannes.berg@intel.com>
Coverity points out that checking assoc_data->ie is
completely useless since it's an array in the struct
and can't be NULL - remove the useless checks.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
net/mac80211/mlme.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 1305ff9..5b2b0a1 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -714,7 +714,7 @@ static void ieee80211_send_assoc(struct ieee80211_sub_if_data *sdata)
}
/* if present, add any custom IEs that go before HT */
- if (assoc_data->ie_len && assoc_data->ie) {
+ if (assoc_data->ie_len) {
static const u8 before_ht[] = {
WLAN_EID_SSID,
WLAN_EID_SUPP_RATES,
@@ -748,7 +748,7 @@ static void ieee80211_send_assoc(struct ieee80211_sub_if_data *sdata)
&assoc_data->ap_vht_cap);
/* if present, add any custom non-vendor IEs that go after HT */
- if (assoc_data->ie_len && assoc_data->ie) {
+ if (assoc_data->ie_len) {
noffset = ieee80211_ie_split_vendor(assoc_data->ie,
assoc_data->ie_len,
offset);
@@ -779,7 +779,7 @@ static void ieee80211_send_assoc(struct ieee80211_sub_if_data *sdata)
}
/* add any remaining custom (i.e. vendor specific here) IEs */
- if (assoc_data->ie_len && assoc_data->ie) {
+ if (assoc_data->ie_len) {
noffset = assoc_data->ie_len;
pos = skb_put(skb, noffset - offset);
memcpy(pos, assoc_data->ie + offset, noffset - offset);
--
1.8.4.rc3
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 1/4] nl80211: check nla_put_* return values
2013-10-28 14:08 [PATCH 1/4] nl80211: check nla_put_* return values Johannes Berg
` (2 preceding siblings ...)
2013-10-28 14:08 ` [PATCH 4/4] mac80211: remove useless tests for array Johannes Berg
@ 2013-11-06 10:59 ` Johannes Berg
3 siblings, 0 replies; 5+ messages in thread
From: Johannes Berg @ 2013-11-06 10:59 UTC (permalink / raw)
To: linux-wireless
Applied all
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2013-11-06 10:59 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-10-28 14:08 [PATCH 1/4] nl80211: check nla_put_* return values Johannes Berg
2013-10-28 14:08 ` [PATCH 2/4] nl80211: fix error path in nl80211_get_key() Johannes Berg
2013-10-28 14:08 ` [PATCH 3/4] nl80211: check nla_nest_start() return value Johannes Berg
2013-10-28 14:08 ` [PATCH 4/4] mac80211: remove useless tests for array Johannes Berg
2013-11-06 10:59 ` [PATCH 1/4] nl80211: check nla_put_* return values Johannes Berg
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.