[PATCH] hostapd/wpa_s: use driver's extended capabilities

[Jouni Malinen]

On Tue, Feb 12, 2013 at 12:35:03PM +0100, Johannes Berg wrote:
> Some extended capabilities (I'm currently interested in
> "Operating Mode Notification" for VHT) are implemented
> by the kernel driver and exported in nl80211. Use these
> in hostapd/wpa_supplicant.

This looks otherwise fine, but memory handling here looks a bit risky..

> diff --git a/hostapd/main.c b/hostapd/main.c
> @@ -273,6 +273,9 @@ static int hostapd_driver_init(struct hostapd_iface *iface)
> +		iface->extended_capa = capa.extended_capa;
> +		iface->extended_capa_mask = capa.extended_capa_mask;

This stores pointers from struct wpa_driver_capa, but the code here does
not really own the allocation.

> diff --git a/src/drivers/driver.h b/src/drivers/driver.h
> @@ -880,6 +880,12 @@ struct wpa_driver_capa {
> +	/**
> +	 * extended_capa - extended capabilities in driver/device
> +	 */
> +	u8 *extended_capa, *extended_capa_mask;

The lifetime of these pointers is not documented..

> diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
> @@ -2729,6 +2729,29 @@ broken_combination:
> +	if (tb[NL80211_ATTR_EXT_CAPA] && tb[NL80211_ATTR_EXT_CAPA_MASK]) {
> +		capa->extended_capa =
> +			os_malloc(nla_len(tb[NL80211_ATTR_EXT_CAPA]));

This allocates the pointers during driver wrapper installation (and
frees them only at deinit), but some other driver wrappers could
potentially do this for each get_capa() callback separately. As such,
they could get freed up at some undefined time.

Could the driver capabilities change dynamically? Even their length?
Should the caller make a copy of the buffer instead? At minimum, the
expected behavior of the extended_capa{,_mask} pointers needs to be
documented somewhere.

-- 
Jouni Malinen                                            PGP id EFC895FA