diff options
author | Johannes Berg <johannes.berg@intel.com> | 2011-07-20 00:52:16 +0200 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2011-07-20 21:04:38 +0200 |
commit | a401d2bb363d942245acdd81c5b5a754011696ee (patch) | |
tree | 1f05cf5d53b72576d101572aeca176320fc361df /net | |
parent | carl9170: fix sparse warnings enabled by CONFIG_SPARSE_RCU_POINTER (diff) | |
download | linux-a401d2bb363d942245acdd81c5b5a754011696ee.tar.xz linux-a401d2bb363d942245acdd81c5b5a754011696ee.zip |
cfg80211: fix scan crash on single-band cards
commit 58389c69150e6032504dfcd3edca6b1975c8b5bc
Author: Johannes Berg <johannes.berg@intel.com>
Date: Mon Jul 18 18:08:35 2011 +0200
cfg80211: allow userspace to control supported rates in scan
made single-band cards crash since it would always
access all wiphy->bands[]. Fix this and reject any
attempts in the new helper ieee80211_get_ratemask()
to do the same, rejecting rates configuration for
unsupported bands.
Reported-by: Pavel Roskin <proski@gnu.org>
Tested-by: Pavel Roskin <proski@gnu.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'net')
-rw-r--r-- | net/wireless/nl80211.c | 4 | ||||
-rw-r--r-- | net/wireless/scan.c | 3 | ||||
-rw-r--r-- | net/wireless/util.c | 3 |
3 files changed, 8 insertions, 2 deletions
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 20aa390cf338..28d2aa109bee 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -3454,7 +3454,9 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info) } for (i = 0; i < IEEE80211_NUM_BANDS; i++) - request->rates[i] = (1 << wiphy->bands[i]->n_bitrates) - 1; + if (wiphy->bands[i]) + request->rates[i] = + (1 << wiphy->bands[i]->n_bitrates) - 1; if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) { nla_for_each_nested(attr, diff --git a/net/wireless/scan.c b/net/wireless/scan.c index 1e7ff949d1aa..2936cb809152 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -863,7 +863,8 @@ int cfg80211_wext_siwscan(struct net_device *dev, } for (i = 0; i < IEEE80211_NUM_BANDS; i++) - creq->rates[i] = (1 << wiphy->bands[i]->n_bitrates) - 1; + if (wiphy->bands[i]) + creq->rates[i] = (1 << wiphy->bands[i]->n_bitrates) - 1; rdev->scan_req = creq; err = rdev->ops->scan(wiphy, dev, creq); diff --git a/net/wireless/util.c b/net/wireless/util.c index a329429bfdd8..be75a3a0424e 100644 --- a/net/wireless/util.c +++ b/net/wireless/util.c @@ -1013,6 +1013,9 @@ int ieee80211_get_ratemask(struct ieee80211_supported_band *sband, { int i, j; + if (!sband) + return -EINVAL; + if (n_rates == 0 || n_rates > NL80211_MAX_SUPP_RATES) return -EINVAL; |