diff options
Diffstat (limited to 'package/kernel/mac80211/patches/subsys/350-mac80211-fix-memory-leaks-with-element-parsing.patch')
| -rw-r--r-- | package/kernel/mac80211/patches/subsys/350-mac80211-fix-memory-leaks-with-element-parsing.patch | 115 |
1 files changed, 0 insertions, 115 deletions
diff --git a/package/kernel/mac80211/patches/subsys/350-mac80211-fix-memory-leaks-with-element-parsing.patch b/package/kernel/mac80211/patches/subsys/350-mac80211-fix-memory-leaks-with-element-parsing.patch deleted file mode 100644 index f4906e8c03..0000000000 --- a/package/kernel/mac80211/patches/subsys/350-mac80211-fix-memory-leaks-with-element-parsing.patch +++ /dev/null @@ -1,115 +0,0 @@ -From: Johannes Berg <johannes.berg@intel.com> -Date: Fri, 1 Oct 2021 21:11:08 +0200 -Subject: [PATCH] mac80211: fix memory leaks with element parsing - -commit 8223ac199a3849257e86ec27865dc63f034b1cf1 upstream. - -My previous commit 5d24828d05f3 ("mac80211: always allocate -struct ieee802_11_elems") had a few bugs and leaked the new -allocated struct in a few error cases, fix that. - -Fixes: 5d24828d05f3 ("mac80211: always allocate struct ieee802_11_elems") -Signed-off-by: Johannes Berg <johannes.berg@intel.com> -Link: https://lore.kernel.org/r/20211001211108.9839928e42e0.Ib81ca187d3d3af7ed1bfeac2e00d08a4637c8025@changeid -Signed-off-by: Johannes Berg <johannes.berg@intel.com> ---- - ---- a/net/mac80211/agg-rx.c -+++ b/net/mac80211/agg-rx.c -@@ -499,13 +499,14 @@ void ieee80211_process_addba_request(str - elems = ieee802_11_parse_elems(mgmt->u.action.u.addba_req.variable, - ies_len, true, mgmt->bssid, NULL); - if (!elems || elems->parse_error) -- return; -+ goto free; - } - - __ieee80211_start_rx_ba_session(sta, dialog_token, timeout, - start_seq_num, ba_policy, tid, - buf_size, true, false, - elems ? elems->addba_ext_ie : NULL); -+free: - kfree(elems); - } - ---- a/net/mac80211/ibss.c -+++ b/net/mac80211/ibss.c -@@ -1659,11 +1659,11 @@ void ieee80211_ibss_rx_queued_mgmt(struc - mgmt->u.action.u.chan_switch.variable, - ies_len, true, mgmt->bssid, NULL); - -- if (!elems || elems->parse_error) -- break; -- -- ieee80211_rx_mgmt_spectrum_mgmt(sdata, mgmt, skb->len, -- rx_status, elems); -+ if (elems && !elems->parse_error) -+ ieee80211_rx_mgmt_spectrum_mgmt(sdata, mgmt, -+ skb->len, -+ rx_status, -+ elems); - kfree(elems); - break; - } ---- a/net/mac80211/mlme.c -+++ b/net/mac80211/mlme.c -@@ -3374,8 +3374,10 @@ static bool ieee80211_assoc_success(stru - bss_ies = kmemdup(ies, sizeof(*ies) + ies->len, - GFP_ATOMIC); - rcu_read_unlock(); -- if (!bss_ies) -- return false; -+ if (!bss_ies) { -+ ret = false; -+ goto out; -+ } - - bss_elems = ieee802_11_parse_elems(bss_ies->data, bss_ies->len, - false, mgmt->bssid, -@@ -4358,13 +4360,11 @@ void ieee80211_sta_rx_queued_mgmt(struct - mgmt->u.action.u.chan_switch.variable, - ies_len, true, mgmt->bssid, NULL); - -- if (!elems || elems->parse_error) -- break; -- -- ieee80211_sta_process_chanswitch(sdata, -- rx_status->mactime, -- rx_status->device_timestamp, -- elems, false); -+ if (elems && !elems->parse_error) -+ ieee80211_sta_process_chanswitch(sdata, -+ rx_status->mactime, -+ rx_status->device_timestamp, -+ elems, false); - kfree(elems); - } else if (mgmt->u.action.category == WLAN_CATEGORY_PUBLIC) { - struct ieee802_11_elems *elems; -@@ -4384,17 +4384,17 @@ void ieee80211_sta_rx_queued_mgmt(struct - mgmt->u.action.u.ext_chan_switch.variable, - ies_len, true, mgmt->bssid, NULL); - -- if (!elems || elems->parse_error) -- break; -+ if (elems && !elems->parse_error) { -+ /* for the handling code pretend it was an IE */ -+ elems->ext_chansw_ie = -+ &mgmt->u.action.u.ext_chan_switch.data; -+ -+ ieee80211_sta_process_chanswitch(sdata, -+ rx_status->mactime, -+ rx_status->device_timestamp, -+ elems, false); -+ } - -- /* for the handling code pretend this was also an IE */ -- elems->ext_chansw_ie = -- &mgmt->u.action.u.ext_chan_switch.data; -- -- ieee80211_sta_process_chanswitch(sdata, -- rx_status->mactime, -- rx_status->device_timestamp, -- elems, false); - kfree(elems); - } - break; |