Commit 03b73862 authored by Johannes Berg's avatar Johannes Berg

mac80211: fix CSA beacon allocation size

If the FTM responder settings are changed simultaneously with
the CSA beacon, the buffer size allocated isn't sufficient and
we'll have a heap overrun. Fix this.

While at it, also clean up the ftm_responder assignment, doing
it only if ftm_responder is non-zero is valid as it's 0 to start
with, but not really useful to understand the code.

Fixes: bc847970 ("mac80211: support FTM responder configuration/statistics")
Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
parent c177db2d
...@@ -2891,7 +2891,7 @@ cfg80211_beacon_dup(struct cfg80211_beacon_data *beacon) ...@@ -2891,7 +2891,7 @@ cfg80211_beacon_dup(struct cfg80211_beacon_data *beacon)
len = beacon->head_len + beacon->tail_len + beacon->beacon_ies_len + len = beacon->head_len + beacon->tail_len + beacon->beacon_ies_len +
beacon->proberesp_ies_len + beacon->assocresp_ies_len + beacon->proberesp_ies_len + beacon->assocresp_ies_len +
beacon->probe_resp_len; beacon->probe_resp_len + beacon->lci_len + beacon->civicloc_len;
new_beacon = kzalloc(sizeof(*new_beacon) + len, GFP_KERNEL); new_beacon = kzalloc(sizeof(*new_beacon) + len, GFP_KERNEL);
if (!new_beacon) if (!new_beacon)
...@@ -2934,8 +2934,9 @@ cfg80211_beacon_dup(struct cfg80211_beacon_data *beacon) ...@@ -2934,8 +2934,9 @@ cfg80211_beacon_dup(struct cfg80211_beacon_data *beacon)
memcpy(pos, beacon->probe_resp, beacon->probe_resp_len); memcpy(pos, beacon->probe_resp, beacon->probe_resp_len);
pos += beacon->probe_resp_len; pos += beacon->probe_resp_len;
} }
if (beacon->ftm_responder)
new_beacon->ftm_responder = beacon->ftm_responder; /* might copy -1, meaning no changes requested */
new_beacon->ftm_responder = beacon->ftm_responder;
if (beacon->lci) { if (beacon->lci) {
new_beacon->lci_len = beacon->lci_len; new_beacon->lci_len = beacon->lci_len;
new_beacon->lci = pos; new_beacon->lci = pos;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment