summaryrefslogtreecommitdiff
path: root/net
diff options
context:
space:
mode:
authorJohannes Berg <johannes.berg@intel.com>2013-07-30 22:34:28 +0200
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2013-08-20 08:43:04 -0700
commit289813a71e600f652d995d1e94a50112fb1dcfd7 (patch)
treefffff9d095f303896cc2b128724db20466e936cc /net
parentfa392433df90eec8059dae7323ed2b398c92ecb2 (diff)
downloadkernel-common-289813a71e600f652d995d1e94a50112fb1dcfd7.tar.gz
kernel-common-289813a71e600f652d995d1e94a50112fb1dcfd7.tar.bz2
kernel-common-289813a71e600f652d995d1e94a50112fb1dcfd7.zip
nl80211: fix another nl80211_fam.attrbuf race
commit c319d50bfcf678c2857038276d9fab3c6646f3bf upstream. This is similar to the race Linus had reported, but in this case it's an older bug: nl80211_prepare_wdev_dump() uses the wiphy index in cb->args[0] as it is and thus parses the message over and over again instead of just once because 0 is the first valid wiphy index. Similar code in nl80211_testmode_dump() correctly offsets the wiphy_index by 1, do that here as well. Reported-by: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net')
-rw-r--r--net/wireless/nl80211.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index db8ead94ff7a..448c034184e2 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -471,10 +471,12 @@ static int nl80211_prepare_wdev_dump(struct sk_buff *skb,
goto out_unlock;
}
*rdev = wiphy_to_dev((*wdev)->wiphy);
- cb->args[0] = (*rdev)->wiphy_idx;
+ /* 0 is the first index - add 1 to parse only once */
+ cb->args[0] = (*rdev)->wiphy_idx + 1;
cb->args[1] = (*wdev)->identifier;
} else {
- struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0]);
+ /* subtract the 1 again here */
+ struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
struct wireless_dev *tmp;
if (!wiphy) {