Hi!
[ Upstream commit 6ef09cdc5ba0f93826c09d810c141a8d103a80fc ]
In 'cfg80211_wext_siwscan()', add extra check whether number of channels passed via 'ioctl(sock, SIOCSIWSCAN, ...)' doesn't exceed IW_MAX_FREQUENCIES and reject invalid request with -EINVAL otherwise.
This results in very confusing code in 4.19 at least. It should goto out for consistency, exploting kfree(NULL) to be nop. Ok, not sure we care...
Best regards, Pavel
diff --git a/net/wireless/scan.c b/net/wireless/scan.c index dacb9ceee3efd..0dc27703443c8 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -1405,10 +1405,14 @@ int cfg80211_wext_siwscan(struct net_device *dev, wiphy = &rdev->wiphy; /* Determine number of channels, needed to allocate creq */
- if (wreq && wreq->num_channels)
- if (wreq && wreq->num_channels) {
/* Passed from userspace so should be checked */
if (unlikely(wreq->num_channels > IW_MAX_FREQUENCIES))
n_channels = wreq->num_channels;return -EINVAL;
- else
- } else { n_channels = ieee80211_get_num_supported_channels(wiphy);
- }
creq = kzalloc(sizeof(*creq) + sizeof(struct cfg80211_ssid) + n_channels * sizeof(void *),