summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorJohannes Berg <johannes.berg@intel.com>2011-07-20 00:52:16 +0200
committerJohn W. Linville <linville@tuxdriver.com>2011-07-20 21:04:38 +0200
commita401d2bb363d942245acdd81c5b5a754011696ee (patch)
tree1f05cf5d53b72576d101572aeca176320fc361df /net
parentcarl9170: fix sparse warnings enabled by CONFIG_SPARSE_RCU_POINTER (diff)
downloadlinux-a401d2bb363d942245acdd81c5b5a754011696ee.tar.xz
linux-a401d2bb363d942245acdd81c5b5a754011696ee.zip
cfg80211: fix scan crash on single-band cards
commit 58389c69150e6032504dfcd3edca6b1975c8b5bc Author: Johannes Berg <johannes.berg@intel.com> Date: Mon Jul 18 18:08:35 2011 +0200 cfg80211: allow userspace to control supported rates in scan made single-band cards crash since it would always access all wiphy->bands[]. Fix this and reject any attempts in the new helper ieee80211_get_ratemask() to do the same, rejecting rates configuration for unsupported bands. Reported-by: Pavel Roskin <proski@gnu.org> Tested-by: Pavel Roskin <proski@gnu.org> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'net')
-rw-r--r--net/wireless/nl80211.c4
-rw-r--r--net/wireless/scan.c3
-rw-r--r--net/wireless/util.c3
3 files changed, 8 insertions, 2 deletions
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 20aa390cf338..28d2aa109bee 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -3454,7 +3454,9 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
}
for (i = 0; i < IEEE80211_NUM_BANDS; i++)
- request->rates[i] = (1 << wiphy->bands[i]->n_bitrates) - 1;
+ if (wiphy->bands[i])
+ request->rates[i] =
+ (1 << wiphy->bands[i]->n_bitrates) - 1;
if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
nla_for_each_nested(attr,
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 1e7ff949d1aa..2936cb809152 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -863,7 +863,8 @@ int cfg80211_wext_siwscan(struct net_device *dev,
}
for (i = 0; i < IEEE80211_NUM_BANDS; i++)
- creq->rates[i] = (1 << wiphy->bands[i]->n_bitrates) - 1;
+ if (wiphy->bands[i])
+ creq->rates[i] = (1 << wiphy->bands[i]->n_bitrates) - 1;
rdev->scan_req = creq;
err = rdev->ops->scan(wiphy, dev, creq);
diff --git a/net/wireless/util.c b/net/wireless/util.c
index a329429bfdd8..be75a3a0424e 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -1013,6 +1013,9 @@ int ieee80211_get_ratemask(struct ieee80211_supported_band *sband,
{
int i, j;
+ if (!sband)
+ return -EINVAL;
+
if (n_rates == 0 || n_rates > NL80211_MAX_SUPP_RATES)
return -EINVAL;