[D,E,F,SRU,1/1,CVE-2019-19055] nl80211: fix memory leak in nl80211_get_ftm_responder_stats
diff mbox series

Message ID 20191126113904.1290-2-po-hsu.lin@canonical.com
State New
Headers show
Series
  • [D,E,F,SRU,1/1,CVE-2019-19055] nl80211: fix memory leak in nl80211_get_ftm_responder_stats
Related show

Commit Message

Po-Hsu Lin Nov. 26, 2019, 11:39 a.m. UTC
From: Navid Emamdoost <navid.emamdoost@gmail.com>

CVE-2019-19055

In nl80211_get_ftm_responder_stats, a new skb is created via nlmsg_new
named msg. If nl80211hdr_put() fails, then msg should be released. The
return statement should be replace by goto to error handling code.

Fixes: 81e54d08d9d8 ("cfg80211: support FTM responder configuration/statistics")
Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
Link: https://lore.kernel.org/r/20191004194220.19412-1-navid.emamdoost@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
(cherry picked from commit 1399c59fa92984836db90538cf92397fe7caaa57)
Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
---
 net/wireless/nl80211.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Kleber Souza Nov. 27, 2019, 5:08 p.m. UTC | #1
On 26.11.19 12:39, Po-Hsu Lin wrote:
> From: Navid Emamdoost <navid.emamdoost@gmail.com>
> 
> CVE-2019-19055
> 
> In nl80211_get_ftm_responder_stats, a new skb is created via nlmsg_new
> named msg. If nl80211hdr_put() fails, then msg should be released. The
> return statement should be replace by goto to error handling code.
> 
> Fixes: 81e54d08d9d8 ("cfg80211: support FTM responder configuration/statistics")
> Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
> Link: https://lore.kernel.org/r/20191004194220.19412-1-navid.emamdoost@gmail.com
> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> (cherry picked from commit 1399c59fa92984836db90538cf92397fe7caaa57)
> Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>

Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>

> ---
>  net/wireless/nl80211.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
> index da752ca..f04cb89 100644
> --- a/net/wireless/nl80211.c
> +++ b/net/wireless/nl80211.c
> @@ -13521,7 +13521,7 @@ static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
>  	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
>  			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
>  	if (!hdr)
> -		return -ENOBUFS;
> +		goto nla_put_failure;
>  
>  	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
>  		goto nla_put_failure;
>
Stefan Bader Nov. 29, 2019, 9:09 a.m. UTC | #2
On 26.11.19 12:39, Po-Hsu Lin wrote:
> From: Navid Emamdoost <navid.emamdoost@gmail.com>
> 
> CVE-2019-19055
> 
> In nl80211_get_ftm_responder_stats, a new skb is created via nlmsg_new
> named msg. If nl80211hdr_put() fails, then msg should be released. The
> return statement should be replace by goto to error handling code.
> 
> Fixes: 81e54d08d9d8 ("cfg80211: support FTM responder configuration/statistics")
> Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
> Link: https://lore.kernel.org/r/20191004194220.19412-1-navid.emamdoost@gmail.com
> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> (cherry picked from commit 1399c59fa92984836db90538cf92397fe7caaa57)
> Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
> ---
>  net/wireless/nl80211.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
> index da752ca..f04cb89 100644
> --- a/net/wireless/nl80211.c
> +++ b/net/wireless/nl80211.c
> @@ -13521,7 +13521,7 @@ static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
>  	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
>  			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
>  	if (!hdr)
> -		return -ENOBUFS;
> +		goto nla_put_failure;
>  
>  	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
>  		goto nla_put_failure;
>

Patch
diff mbox series

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index da752ca..f04cb89 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -13521,7 +13521,7 @@  static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
 	if (!hdr)
-		return -ENOBUFS;
+		goto nla_put_failure;
 
 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
 		goto nla_put_failure;