Commit f3f92586 authored by Jouni Malinen's avatar Jouni Malinen Committed by John W. Linville

nl80211: Check that function pointer != NULL before using it

NL80211_CMD_GET_MESH_PARAMS and NL80211_CMD_SET_MESH_PARAMS handlers
did not verify whether a function pointer is NULL (not supported by
the driver) before trying to call the function. The former nl80211
command is available for unprivileged users, too, so this can
potentially allow normal users to kill networking (or worse..) if
mac80211 is built without CONFIG_MAC80211_MESH=y.
Signed-off-by: default avatarJouni Malinen <jouni.malinen@atheros.com>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent 170ebf85
...@@ -1908,6 +1908,11 @@ static int nl80211_get_mesh_params(struct sk_buff *skb, ...@@ -1908,6 +1908,11 @@ static int nl80211_get_mesh_params(struct sk_buff *skb,
if (err) if (err)
return err; return err;
if (!drv->ops->get_mesh_params) {
err = -EOPNOTSUPP;
goto out;
}
/* Get the mesh params */ /* Get the mesh params */
rtnl_lock(); rtnl_lock();
err = drv->ops->get_mesh_params(&drv->wiphy, dev, &cur_params); err = drv->ops->get_mesh_params(&drv->wiphy, dev, &cur_params);
...@@ -2017,6 +2022,11 @@ static int nl80211_set_mesh_params(struct sk_buff *skb, struct genl_info *info) ...@@ -2017,6 +2022,11 @@ static int nl80211_set_mesh_params(struct sk_buff *skb, struct genl_info *info)
if (err) if (err)
return err; return err;
if (!drv->ops->set_mesh_params) {
err = -EOPNOTSUPP;
goto out;
}
/* This makes sure that there aren't more than 32 mesh config /* This makes sure that there aren't more than 32 mesh config
* parameters (otherwise our bitfield scheme would not work.) */ * parameters (otherwise our bitfield scheme would not work.) */
BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32); BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
...@@ -2061,6 +2071,7 @@ static int nl80211_set_mesh_params(struct sk_buff *skb, struct genl_info *info) ...@@ -2061,6 +2071,7 @@ static int nl80211_set_mesh_params(struct sk_buff *skb, struct genl_info *info)
err = drv->ops->set_mesh_params(&drv->wiphy, dev, &cfg, mask); err = drv->ops->set_mesh_params(&drv->wiphy, dev, &cfg, mask);
rtnl_unlock(); rtnl_unlock();
out:
/* cleanup */ /* cleanup */
cfg80211_put_dev(drv); cfg80211_put_dev(drv);
dev_put(dev); dev_put(dev);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment