diff mbox series

[X/A/B/C,1/1] mac80211_hwsim: fix possible memory leak in hwsim_new_radio_nl()

Message ID 20180514054203.9489-2-khalid.elmously@canonical.com
State New
Headers show
Series CVE-2018-8087 | expand

Commit Message

Khalid Elmously May 14, 2018, 5:42 a.m. UTC 
From: "weiyongjun (A)" <weiyongjun1@huawei.com>

CVE-2018-8087

'hwname' is malloced in hwsim_new_radio_nl() and should be freed
before leaving from the error handling cases, otherwise it will cause
memory leak.

Fixes: ff4dd73dd2b4 ("mac80211_hwsim: check HWSIM_ATTR_RADIO_NAME length")
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Reviewed-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
(cherry-picked from 0ddcff49b672239dda94d70d0fcf50317a9f4b51)
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
---
 drivers/net/wireless/mac80211_hwsim.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Comments

Andy Whitcroft May 14, 2018, 9:46 a.m. UTC | #1 
On Mon, May 14, 2018 at 01:42:03AM -0400, Khalid Elmously wrote:
> From: "weiyongjun (A)" <weiyongjun1@huawei.com>
> 
> CVE-2018-8087
> 
> 'hwname' is malloced in hwsim_new_radio_nl() and should be freed
> before leaving from the error handling cases, otherwise it will cause
> memory leak.
> 
> Fixes: ff4dd73dd2b4 ("mac80211_hwsim: check HWSIM_ATTR_RADIO_NAME length")
> Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
> Reviewed-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> (cherry-picked from 0ddcff49b672239dda94d70d0fcf50317a9f4b51)
> Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
> ---
>  drivers/net/wireless/mac80211_hwsim.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
> index 6467ffac9811..d2ab96863fce 100644
> --- a/drivers/net/wireless/mac80211_hwsim.c
> +++ b/drivers/net/wireless/mac80211_hwsim.c
> @@ -3142,8 +3142,10 @@ static int hwsim_new_radio_nl(struct sk_buff *msg, struct genl_info *info)
>  	if (info->attrs[HWSIM_ATTR_REG_CUSTOM_REG]) {
>  		u32 idx = nla_get_u32(info->attrs[HWSIM_ATTR_REG_CUSTOM_REG]);
>  
> -		if (idx >= ARRAY_SIZE(hwsim_world_regdom_custom))
> +		if (idx >= ARRAY_SIZE(hwsim_world_regdom_custom)) {
> +			kfree(hwname);
>  			return -EINVAL;
> +		}
>  		param.regd = hwsim_world_regdom_custom[idx];
>  	}
>  
> -- 
> 2.17.0
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Clean cherry-pick, looks to do what is claimed.

Acked-by: Andy Whitcroft <apw@canonical.com>

-apw
diff mbox series

Patch

diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
index 6467ffac9811..d2ab96863fce 100644
--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -3142,8 +3142,10 @@  static int hwsim_new_radio_nl(struct sk_buff *msg, struct genl_info *info)
 	if (info->attrs[HWSIM_ATTR_REG_CUSTOM_REG]) {
 		u32 idx = nla_get_u32(info->attrs[HWSIM_ATTR_REG_CUSTOM_REG]);
 
-		if (idx >= ARRAY_SIZE(hwsim_world_regdom_custom))
+		if (idx >= ARRAY_SIZE(hwsim_world_regdom_custom)) {
+			kfree(hwname);
 			return -EINVAL;
+		}
 		param.regd = hwsim_world_regdom_custom[idx];
 	}