From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Julian Squires <julian@cipht.net>,
Johannes Berg <johannes.berg@intel.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 26/48] cfg80211: check vendor command doit pointer before use
Date: Mon, 10 Aug 2020 17:21:48 +0200 [thread overview]
Message-ID: <20200810151805.502158557@linuxfoundation.org> (raw)
In-Reply-To: <20200810151804.199494191@linuxfoundation.org>
From: Julian Squires <julian@cipht.net>
[ Upstream commit 4052d3d2e8f47a15053320bbcbe365d15610437d ]
In the case where a vendor command does not implement doit, and has no
flags set, doit would not be validated and a NULL pointer dereference
would occur, for example when invoking the vendor command via iw.
I encountered this while developing new vendor commands. Perhaps in
practice it is advisable to always implement doit along with dumpit,
but it seems reasonable to me to always check doit anyway, not just
when NEED_WDEV.
Signed-off-by: Julian Squires <julian@cipht.net>
Link: https://lore.kernel.org/r/20200706211353.2366470-1-julian@cipht.net
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/wireless/nl80211.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 0221849b72180..996b68b48a878 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -12392,13 +12392,13 @@ static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
if (!wdev_running(wdev))
return -ENETDOWN;
}
-
- if (!vcmd->doit)
- return -EOPNOTSUPP;
} else {
wdev = NULL;
}
+ if (!vcmd->doit)
+ return -EOPNOTSUPP;
+
if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
--
2.25.1
next prev parent reply other threads:[~2020-08-10 15:31 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-10 15:21 [PATCH 4.19 00/48] 4.19.139-rc1 review Greg Kroah-Hartman
2020-08-10 15:21 ` [PATCH 4.19 01/48] USB: serial: qcserial: add EM7305 QDL product ID Greg Kroah-Hartman
2020-08-10 15:21 ` [PATCH 4.19 02/48] USB: iowarrior: fix up report size handling for some devices Greg Kroah-Hartman
2020-08-10 15:21 ` [PATCH 4.19 03/48] usb: xhci: define IDs for various ASMedia host controllers Greg Kroah-Hartman
2020-08-10 15:21 ` [PATCH 4.19 04/48] usb: xhci: Fix ASMedia ASM1142 DMA addressing Greg Kroah-Hartman
2020-08-10 15:21 ` [PATCH 4.19 05/48] Revert "ALSA: hda: call runtime_allow() for all hda controllers" Greg Kroah-Hartman
2020-08-10 15:21 ` [PATCH 4.19 06/48] ALSA: seq: oss: Serialize ioctls Greg Kroah-Hartman
2020-08-10 16:37 ` Pavel Machek
2020-08-10 17:29 ` Greg Kroah-Hartman
2020-08-10 17:53 ` Takashi Iwai
2020-08-10 15:21 ` [PATCH 4.19 07/48] staging: android: ashmem: Fix lockdep warning for write operation Greg Kroah-Hartman
2020-08-10 15:21 ` [PATCH 4.19 08/48] Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt() Greg Kroah-Hartman
2020-08-10 15:21 ` [PATCH 4.19 09/48] Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt() Greg Kroah-Hartman
2020-08-10 15:21 ` [PATCH 4.19 10/48] Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt() Greg Kroah-Hartman
2020-08-10 15:21 ` [PATCH 4.19 11/48] omapfb: dss: Fix max fclk divider for omap36xx Greg Kroah-Hartman
2020-08-10 15:21 ` [PATCH 4.19 12/48] binder: Prevent context manager from incrementing ref 0 Greg Kroah-Hartman
2020-08-10 15:21 ` [PATCH 4.19 13/48] vgacon: Fix for missing check in scrollback handling Greg Kroah-Hartman
2020-08-10 15:21 ` [PATCH 4.19 14/48] mtd: properly check all write ioctls for permissions Greg Kroah-Hartman
2020-08-10 16:38 ` Pavel Machek
2020-08-10 18:40 ` Richard Weinberger
2020-08-10 15:21 ` [PATCH 4.19 15/48] leds: wm831x-status: fix use-after-free on unbind Greg Kroah-Hartman
2020-08-10 15:21 ` [PATCH 4.19 16/48] leds: da903x: " Greg Kroah-Hartman
2020-08-10 15:21 ` [PATCH 4.19 17/48] leds: lm3533: " Greg Kroah-Hartman
2020-08-10 15:21 ` [PATCH 4.19 18/48] leds: 88pm860x: " Greg Kroah-Hartman
2020-08-10 15:21 ` [PATCH 4.19 19/48] net/9p: validate fds in p9_fd_open Greg Kroah-Hartman
2020-08-10 15:21 ` [PATCH 4.19 20/48] drm/nouveau/fbcon: fix module unload when fbcon init has failed for some reason Greg Kroah-Hartman
2020-08-10 15:21 ` [PATCH 4.19 21/48] drm/nouveau/fbcon: zero-initialise the mode_cmd2 structure Greg Kroah-Hartman
2020-08-10 15:21 ` [PATCH 4.19 22/48] i2c: slave: improve sanity check when registering Greg Kroah-Hartman
2020-08-10 15:21 ` [PATCH 4.19 23/48] i2c: slave: add sanity check when unregistering Greg Kroah-Hartman
2020-08-10 15:21 ` [PATCH 4.19 24/48] usb: hso: check for return value in hso_serial_common_create() Greg Kroah-Hartman
2020-08-10 15:21 ` [PATCH 4.19 25/48] firmware: Fix a reference count leak Greg Kroah-Hartman
2020-08-10 16:41 ` Pavel Machek
2020-08-10 15:21 ` Greg Kroah-Hartman [this message]
2020-08-10 15:21 ` [PATCH 4.19 27/48] igb: reinit_locked() should be called with rtnl_lock Greg Kroah-Hartman
2020-08-10 15:21 ` [PATCH 4.19 28/48] atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent Greg Kroah-Hartman
2020-08-10 15:21 ` [PATCH 4.19 29/48] tools lib traceevent: Fix memory leak in process_dynamic_array_len Greg Kroah-Hartman
2020-08-10 15:21 ` [PATCH 4.19 30/48] Drivers: hv: vmbus: Ignore CHANNELMSG_TL_CONNECT_RESULT(23) Greg Kroah-Hartman
2020-08-10 15:21 ` [PATCH 4.19 31/48] xattr: break delegations in {set,remove}xattr Greg Kroah-Hartman
2020-08-10 15:21 ` [PATCH 4.19 32/48] ipv4: Silence suspicious RCU usage warning Greg Kroah-Hartman
2020-08-10 15:21 ` [PATCH 4.19 33/48] ipv6: fix memory leaks on IPV6_ADDRFORM path Greg Kroah-Hartman
2020-08-10 15:21 ` [PATCH 4.19 34/48] net: ethernet: mtk_eth_soc: fix MTU warnings Greg Kroah-Hartman
2020-08-10 15:21 ` [PATCH 4.19 35/48] vxlan: Ensure FDB dump is performed under RCU Greg Kroah-Hartman
2020-08-10 15:21 ` [PATCH 4.19 36/48] net: lan78xx: replace bogus endpoint lookup Greg Kroah-Hartman
2020-08-10 15:21 ` [PATCH 4.19 37/48] hv_netvsc: do not use VF device if link is down Greg Kroah-Hartman
2020-08-10 15:22 ` [PATCH 4.19 38/48] net: gre: recompute gre csum for sctp over gre tunnels Greg Kroah-Hartman
2020-08-10 15:22 ` [PATCH 4.19 39/48] net: thunderx: use spin_lock_bh in nicvf_set_rx_mode_task() Greg Kroah-Hartman
2020-08-10 15:22 ` [PATCH 4.19 40/48] openvswitch: Prevent kernel-infoleak in ovs_ct_put_key() Greg Kroah-Hartman
2020-08-10 15:22 ` [PATCH 4.19 41/48] Revert "vxlan: fix tos value before xmit" Greg Kroah-Hartman
2020-08-10 15:22 ` [PATCH 4.19 42/48] selftests/net: relax cpu affinity requirement in msg_zerocopy test Greg Kroah-Hartman
2020-08-10 15:22 ` [PATCH 4.19 43/48] rxrpc: Fix race between recvmsg and sendmsg on immediate call failure Greg Kroah-Hartman
2020-08-10 15:22 ` [PATCH 4.19 44/48] i40e: add num_vectors checker in iwarp handler Greg Kroah-Hartman
2020-08-10 15:22 ` [PATCH 4.19 45/48] i40e: Wrong truncation from u16 to u8 Greg Kroah-Hartman
2020-08-10 15:22 ` [PATCH 4.19 46/48] i40e: Fix of memory leak and integer truncation in i40e_virtchnl.c Greg Kroah-Hartman
2020-08-10 15:22 ` [PATCH 4.19 47/48] i40e: Memory leak in i40e_config_iwarp_qvlist Greg Kroah-Hartman
2020-08-11 12:46 ` Pavel Machek
2020-08-11 16:45 ` Jesse Brandeburg
2020-08-10 15:22 ` [PATCH 4.19 48/48] Smack: fix use-after-free in smk_write_relabel_self() Greg Kroah-Hartman
2020-08-10 23:12 ` [PATCH 4.19 00/48] 4.19.139-rc1 review Shuah Khan
2020-08-11 7:56 ` Jon Hunter
2020-08-11 8:28 ` Naresh Kamboju
2020-08-11 8:32 ` Pavel Machek
2020-08-11 14:22 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200810151805.502158557@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=johannes.berg@intel.com \
--cc=julian@cipht.net \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).