From 51f78544534ba17097f17aa1ca405267660181c3 Mon Sep 17 00:00:00 2001 From: Bing Zhao Date: Mon, 13 May 2013 12:46:10 -0700 Subject: [PATCH] CHROMIUM: mwifiex: Dereference bss only if it is non-null Commit: 0ec8d6f mwifiex: fix use-after-free in beacon_ie processing introduced an issue where the "bss" pointer was dereferenced in mwifiex_bss_start() before a NULL check. Fix this. Signed-off-by: Paul Stewart BUG=chrome-os-partner:19392 TEST=Change AP SSID while associating. Change-Id: Iff8e02719f2c2e4f6560fab2dcfc65620c15ac31 Reviewed-on: https://gerrit.chromium.org/gerrit/51015 Commit-Queue: Paul Stewart Reviewed-by: Paul Stewart Tested-by: Paul Stewart --- drivers/net/wireless/mwifiex/sta_ioctl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/mwifiex/sta_ioctl.c b/drivers/net/wireless/mwifiex/sta_ioctl.c index 20ed12547838..1474a02859b6 100644 --- a/drivers/net/wireless/mwifiex/sta_ioctl.c +++ b/drivers/net/wireless/mwifiex/sta_ioctl.c @@ -230,7 +230,7 @@ int mwifiex_bss_start(struct mwifiex_private *priv, struct cfg80211_bss *bss, struct mwifiex_adapter *adapter = priv->adapter; struct mwifiex_bssdescriptor *bss_desc = NULL; u8 *beacon_ie = NULL; - size_t beacon_ie_len = bss->len_information_elements; + size_t beacon_ie_len; priv->scan_block = false; @@ -245,6 +245,7 @@ int mwifiex_bss_start(struct mwifiex_private *priv, struct cfg80211_bss *bss, return -ENOMEM; } + beacon_ie_len = bss->len_information_elements; beacon_ie = kmemdup(bss->information_elements, beacon_ie_len, GFP_KERNEL); if (!beacon_ie) { -- 2.20.1