aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPaul Stewart <pstew@chromium.org>2016-06-10 15:29:55 (GMT)
committerJouni Malinen <j@w1.fi>2016-06-11 09:12:23 (GMT)
commitfdc1188a85bb1e2c0a03e38724f6cd126ff374ad (patch)
treecdb8bbeae993f011263a4190dc6614e9b994cf46
parent61854f16ec6d4a8e026fcb344b66fb884cf15034 (diff)
downloadhostap-fdc1188a85bb1e2c0a03e38724f6cd126ff374ad.zip
hostap-fdc1188a85bb1e2c0a03e38724f6cd126ff374ad.tar.gz
hostap-fdc1188a85bb1e2c0a03e38724f6cd126ff374ad.tar.bz2
nl80211: Fix use-after-free in qca_nl80211_get_features()
Any data accessible from nla_data() is freed before the send_and_recv_msgs() function returns, therefore we need to allocate space for info.flags ourselves. Signed-off-by: Paul Stewart <pstew@google.com>
-rw-r--r--src/drivers/driver_nl80211_capa.c9
1 files changed, 7 insertions, 2 deletions
diff --git a/src/drivers/driver_nl80211_capa.c b/src/drivers/driver_nl80211_capa.c
index e1b4b64..1ebbdaa 100644
--- a/src/drivers/driver_nl80211_capa.c
+++ b/src/drivers/driver_nl80211_capa.c
@@ -904,8 +904,12 @@ static int features_info_handler(struct nl_msg *msg, void *arg)
attr = tb_vendor[QCA_WLAN_VENDOR_ATTR_FEATURE_FLAGS];
if (attr) {
- info->flags = nla_data(attr);
- info->flags_len = nla_len(attr);
+ int len = nla_len(attr);
+ info->flags = os_malloc(len);
+ if (info->flags != NULL) {
+ os_memcpy(info->flags, nla_data(attr), len);
+ info->flags_len = len;
+ }
}
attr = tb_vendor[QCA_WLAN_VENDOR_ATTR_CONCURRENCY_CAPA];
if (attr)
@@ -968,6 +972,7 @@ static void qca_nl80211_get_features(struct wpa_driver_nl80211_data *drv)
if (check_feature(QCA_WLAN_VENDOR_FEATURE_OFFCHANNEL_SIMULTANEOUS,
&info))
drv->capa.flags |= WPA_DRIVER_FLAGS_OFFCHANNEL_SIMULTANEOUS;
+ os_free(info.flags);
}
#endif /* CONFIG_DRIVER_NL80211_QCA */