| Message ID | 20191126113904.1290-2-po-hsu.lin@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | [D,E,F,SRU,1/1,CVE-2019-19055] nl80211: fix memory leak in nl80211_get_ftm_responder_stats | expand |
On 26.11.19 12:39, Po-Hsu Lin wrote: > From: Navid Emamdoost <navid.emamdoost@gmail.com> > > CVE-2019-19055 > > In nl80211_get_ftm_responder_stats, a new skb is created via nlmsg_new > named msg. If nl80211hdr_put() fails, then msg should be released. The > return statement should be replace by goto to error handling code. > > Fixes: 81e54d08d9d8 ("cfg80211: support FTM responder configuration/statistics") > Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com> > Link: https://lore.kernel.org/r/20191004194220.19412-1-navid.emamdoost@gmail.com > Signed-off-by: Johannes Berg <johannes.berg@intel.com> > (cherry picked from commit 1399c59fa92984836db90538cf92397fe7caaa57) > Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > net/wireless/nl80211.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c > index da752ca..f04cb89 100644 > --- a/net/wireless/nl80211.c > +++ b/net/wireless/nl80211.c > @@ -13521,7 +13521,7 @@ static int nl80211_get_ftm_responder_stats(struct sk_buff *skb, > hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0, > NL80211_CMD_GET_FTM_RESPONDER_STATS); > if (!hdr) > - return -ENOBUFS; > + goto nla_put_failure; > > if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex)) > goto nla_put_failure; >
On 26.11.19 12:39, Po-Hsu Lin wrote: > From: Navid Emamdoost <navid.emamdoost@gmail.com> > > CVE-2019-19055 > > In nl80211_get_ftm_responder_stats, a new skb is created via nlmsg_new > named msg. If nl80211hdr_put() fails, then msg should be released. The > return statement should be replace by goto to error handling code. > > Fixes: 81e54d08d9d8 ("cfg80211: support FTM responder configuration/statistics") > Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com> > Link: https://lore.kernel.org/r/20191004194220.19412-1-navid.emamdoost@gmail.com > Signed-off-by: Johannes Berg <johannes.berg@intel.com> > (cherry picked from commit 1399c59fa92984836db90538cf92397fe7caaa57) > Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- > net/wireless/nl80211.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c > index da752ca..f04cb89 100644 > --- a/net/wireless/nl80211.c > +++ b/net/wireless/nl80211.c > @@ -13521,7 +13521,7 @@ static int nl80211_get_ftm_responder_stats(struct sk_buff *skb, > hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0, > NL80211_CMD_GET_FTM_RESPONDER_STATS); > if (!hdr) > - return -ENOBUFS; > + goto nla_put_failure; > > if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex)) > goto nla_put_failure; >
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index da752ca..f04cb89 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -13521,7 +13521,7 @@ static int nl80211_get_ftm_responder_stats(struct sk_buff *skb, hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0, NL80211_CMD_GET_FTM_RESPONDER_STATS); if (!hdr) - return -ENOBUFS; + goto nla_put_failure; if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex)) goto nla_put_failure;