From: Bing Zhao <bzhao@marvell.com>
Date: Mon, 13 May 2013 19:46:10 +0000 (-0700)
Subject: CHROMIUM: mwifiex: Dereference bss only if it is non-null
X-Git-Url: http://git.cascardo.eti.br/?p=cascardo%2Flinux.git;a=commitdiff_plain;h=51f78544534ba17097f17aa1ca405267660181c3

CHROMIUM: mwifiex: Dereference bss only if it is non-null

Commit:
  0ec8d6f mwifiex: fix use-after-free in beacon_ie processing

introduced an issue where the "bss" pointer was dereferenced
in mwifiex_bss_start() before a NULL check.  Fix this.

Signed-off-by: Paul Stewart <pstew@chromium.org>

BUG=chrome-os-partner:19392
TEST=Change AP SSID while associating.

Change-Id: Iff8e02719f2c2e4f6560fab2dcfc65620c15ac31
Reviewed-on: https://gerrit.chromium.org/gerrit/51015
Commit-Queue: Paul Stewart <pstew@chromium.org>
Reviewed-by: Paul Stewart <pstew@chromium.org>
Tested-by: Paul Stewart <pstew@chromium.org>
---

diff --git a/drivers/net/wireless/mwifiex/sta_ioctl.c b/drivers/net/wireless/mwifiex/sta_ioctl.c
index 20ed12547838..1474a02859b6 100644
--- a/drivers/net/wireless/mwifiex/sta_ioctl.c
+++ b/drivers/net/wireless/mwifiex/sta_ioctl.c
@@ -230,7 +230,7 @@ int mwifiex_bss_start(struct mwifiex_private *priv, struct cfg80211_bss *bss,
 	struct mwifiex_adapter *adapter = priv->adapter;
 	struct mwifiex_bssdescriptor *bss_desc = NULL;
 	u8 *beacon_ie = NULL;
-	size_t beacon_ie_len = bss->len_information_elements;
+	size_t beacon_ie_len;
 
 	priv->scan_block = false;
 
@@ -245,6 +245,7 @@ int mwifiex_bss_start(struct mwifiex_private *priv, struct cfg80211_bss *bss,
 			return -ENOMEM;
 		}
 
+		beacon_ie_len = bss->len_information_elements;
 		beacon_ie = kmemdup(bss->information_elements, beacon_ie_len,
 				    GFP_KERNEL);
 		if (!beacon_ie) {