diff options
| author | Aleksei Vetrov <vvvvvv@google.com> | 2024-10-29 13:22:11 +0000 |
|---|---|---|
| committer | Johannes Berg <johannes.berg@intel.com> | 2024-11-07 14:38:33 +0100 |
| commit | 9c46a3a5b394d6d123866aa44436fc2cd342eb0d (patch) | |
| tree | 2a771886d0dd55f109805dcd917fa7ff5dad1fe0 | |
| parent | b4ebb58cb9a4b1b5cb5278b09d6afdcd71b2a6b4 (diff) | |
| download | linux-stable-9c46a3a5b394d6d123866aa44436fc2cd342eb0d.tar.gz linux-stable-9c46a3a5b394d6d123866aa44436fc2cd342eb0d.tar.bz2 linux-stable-9c46a3a5b394d6d123866aa44436fc2cd342eb0d.zip | |
wifi: nl80211: fix bounds checker error in nl80211_parse_sched_scan
The channels array in the cfg80211_scan_request has a __counted_by
attribute attached to it, which points to the n_channels variable. This
attribute is used in bounds checking, and if it is not set before the
array is filled, then the bounds sanitizer will issue a warning or a
kernel panic if CONFIG_UBSAN_TRAP is set.
This patch sets the size of allocated memory as the initial value for
n_channels. It is updated with the actual number of added elements after
the array is filled.
Fixes: aa4ec06c455d ("wifi: cfg80211: use __counted_by where appropriate")
Cc: stable@vger.kernel.org
Signed-off-by: Aleksei Vetrov <vvvvvv@google.com>
Reviewed-by: Jeff Johnson <quic_jjohnson@quicinc.com>
Link: https://patch.msgid.link/20241029-nl80211_parse_sched_scan-bounds-checker-fix-v2-1-c804b787341f@google.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| -rw-r--r-- | net/wireless/nl80211.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 1ac8a196f376..d281568b2e2e 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -9802,6 +9802,7 @@ nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev, request = kzalloc(size, GFP_KERNEL); if (!request) return ERR_PTR(-ENOMEM); + request->n_channels = n_channels; if (n_ssids) request->ssids = (void *)request + |