projects / cascardo / linux.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 2966c17) | patch
mwifiex: fix use-after-free in beacon_ie processing
authorBing Zhao <bzhao@marvell.com>
Tue, 9 Apr 2013 00:55:58 +0000 (17:55 -0700)
committerChromeBot <chrome-bot@google.com>
Wed, 10 Apr 2013 00:37:22 +0000 (17:37 -0700)
commit0ec8d6ffb30421f718021a745dfa03b1a64d26eb
tree21f015d03012e409508304bfc5d806be852abab3tree | snapshot
parent2966c172902048d7d4f53de84b633b210cdd3680commit | diff
mwifiex: fix use-after-free in beacon_ie processing

beacon_ie buffer is allocated in mwifiex_fill_new_bss_desc()
and the buffer pointer is saved in bss_desc->beacon_buf.

beacon_ie is freed before the function returns. However,
bss_desc->beacon_buf is still being accessed afterwards.

Fix it by allocating and freeing the beacon_ie buffer in
caller's scope.

BUG=chrome-os-partner:18602
TEST=able to associate to AP with and without
slub_debug=FZPUA kernel option.

Change-Id: If6ba90dc3a6d6890a4c891a0c4ab06d46f8cdcc9
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Reviewed-on: https://gerrit.chromium.org/gerrit/47621
Reviewed-by: Doug Anderson <dianders@chromium.org>
Reviewed-by: Paul Stewart <pstew@chromium.org>
drivers/net/wireless/mwifiex/main.h diff | blob | history
drivers/net/wireless/mwifiex/scan.c diff | blob | history
drivers/net/wireless/mwifiex/sta_ioctl.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.