* [PATCH] mac80211: reject zero cookie in mgmt-tx/roc cancel
@ 2015-12-01 22:22 Johannes Berg
0 siblings, 0 replies; only message in thread
From: Johannes Berg @ 2015-12-01 22:22 UTC (permalink / raw)
To: linux-wireless; +Cc: Johannes Berg
From: Johannes Berg <johannes.berg@intel.com>
When cancelling, you can cancel "any" (first in list) mgmt-tx
or remain-on-channel operation by using the value 0 for the
cookie along with the *opposite* operation, i.e.
* cancel the first mgmt-tx by cancelling roc with 0 cookie
* cancel the first roc by cancelling mgmt-tx with 0 cookie
This isn't really that bad since userspace should only pass
cookies that we gave it, but could lead to hard-to-debug
issues so better prevent it and reject zero values since we
never hand those out.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
net/mac80211/offchannel.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/mac80211/offchannel.c b/net/mac80211/offchannel.c
index cfd3356e26fd..6719b27aad66 100644
--- a/net/mac80211/offchannel.c
+++ b/net/mac80211/offchannel.c
@@ -697,6 +697,9 @@ static int ieee80211_cancel_roc(struct ieee80211_local *local,
struct ieee80211_roc_work *roc, *tmp, *found = NULL;
int ret;
+ if (!cookie)
+ return -ENOENT;
+
mutex_lock(&local->mtx);
list_for_each_entry_safe(roc, tmp, &local->roc_list, list) {
if (!mgmt_tx && roc->cookie != cookie)
--
2.6.2
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2015-12-01 22:22 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-12-01 22:22 [PATCH] mac80211: reject zero cookie in mgmt-tx/roc cancel Johannes Berg
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.