diff options
author | Johannes Berg <johannes.berg@intel.com> | 2013-07-30 22:34:28 +0200 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2013-08-20 08:43:04 -0700 |
commit | 289813a71e600f652d995d1e94a50112fb1dcfd7 (patch) | |
tree | fffff9d095f303896cc2b128724db20466e936cc /net | |
parent | fa392433df90eec8059dae7323ed2b398c92ecb2 (diff) | |
download | kernel-common-289813a71e600f652d995d1e94a50112fb1dcfd7.tar.gz kernel-common-289813a71e600f652d995d1e94a50112fb1dcfd7.tar.bz2 kernel-common-289813a71e600f652d995d1e94a50112fb1dcfd7.zip |
nl80211: fix another nl80211_fam.attrbuf race
commit c319d50bfcf678c2857038276d9fab3c6646f3bf upstream.
This is similar to the race Linus had reported, but in this case
it's an older bug: nl80211_prepare_wdev_dump() uses the wiphy
index in cb->args[0] as it is and thus parses the message over
and over again instead of just once because 0 is the first valid
wiphy index. Similar code in nl80211_testmode_dump() correctly
offsets the wiphy_index by 1, do that here as well.
Reported-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net')
-rw-r--r-- | net/wireless/nl80211.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index db8ead94ff7a..448c034184e2 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -471,10 +471,12 @@ static int nl80211_prepare_wdev_dump(struct sk_buff *skb, goto out_unlock; } *rdev = wiphy_to_dev((*wdev)->wiphy); - cb->args[0] = (*rdev)->wiphy_idx; + /* 0 is the first index - add 1 to parse only once */ + cb->args[0] = (*rdev)->wiphy_idx + 1; cb->args[1] = (*wdev)->identifier; } else { - struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0]); + /* subtract the 1 again here */ + struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1); struct wireless_dev *tmp; if (!wiphy) { |