[PATCH] nl80211: Zero num_modes if nl80211_get_hw_feature_data() fails
Jouni Malinen
j at w1.fi
Fri Dec 30 13:45:11 PST 2016
On Wed, Dec 28, 2016 at 03:47:07PM +0200, Andrei Otcheretianski wrote:
> It was possible that nl80211_get_hw_feature_data() function would return
> NULL when num_modes is not set to zero. This might result in a later crash
> when accessing hw.modes. This may be reproduced with hwsim oom tests, for
> example, dbus_connect_oom.
> Fix that by zeroing num_modes if NULL is returned.
I haven't been able to reproduce this.. Would you be able to identify
the caller that does not check the returned pointer? There should be no
places where *num_modes is used if NULL is returned..
> diff --git a/src/drivers/driver_nl80211_capa.c b/src/drivers/driver_nl80211_capa.c
> @@ -1771,6 +1771,7 @@ nl80211_get_hw_feature_data(void *priv, u16 *num_modes, u16 *flags)
> os_free(result.modes[i].rates);
> }
> os_free(result.modes);
> + *num_modes = 0;
> return NULL;
> }
> return wpa_driver_nl80211_postprocess_modes(result.modes,
This does not look like a complete fix since the function can return
NULL also if processing of NL80211_CMD_GET_WIPHY response fails. I'd
assume this could potentially happen after having already incremented
*num_modes. In any case, if this can really be hit with the current
hostap.git snapshot, more appropriate fix would be to modify the caller
that uses *num_modes if NULL is returned from get_hw_feature_data().
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list