From: philipp hortmann <philipp.g.hortmann@gmail.com>
To: Mikhail Arkhipov <m.arhipov@rosa.ru>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Lynn Lei <lynnl.yet@gmail.com>,
linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org,
lvc-project@linuxtesting.org
Subject: Re: [PATCH] staging: wlan-ng: Fix potential double free in skb_ether_to_p80211
Date: Mon, 16 Sep 2024 06:12:23 +0200 [thread overview]
Message-ID: <ZuewJ3ZvWdrCFZVt@kernel-710> (raw)
In-Reply-To: <20240915185804.83811-1-m.arhipov@rosa.ru>
On Sun, Sep 15, 2024 at 09:58:04PM +0300, Mikhail Arkhipov wrote:
> Fix a potential double free of the p80211_wep->data pointer in the
> skb_ether_to_p80211 function. When encryption fails, the function frees
> p80211_wep->data but does not set the pointer to NULL, leading to the
> possibility of double freeing the memory if the caller attempts to
> free it again (calling function in p80211netdev.c (line 385) attempts
> to free this memory again using kfree_sensitive at line 432)
>
> Set p80211_wep->data to NULL after freeing it to ensure that further
> attempts to free this pointer are safely handled, preventing a
> double free error.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: b5956dd26f84 ("drivers/staging/wlan-ng/p80211conv.c: fixed a
> potential memory leak")
> Signed-off-by: Mikhail Arkhipov <m.arhipov@rosa.ru>
> ---
> drivers/staging/wlan-ng/p80211conv.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/staging/wlan-ng/p80211conv.c b/drivers/staging/wlan-ng/p80211conv.c
> index 0ff5fda81b05..b2e224e1e33f 100644
> --- a/drivers/staging/wlan-ng/p80211conv.c
> +++ b/drivers/staging/wlan-ng/p80211conv.c
> @@ -215,6 +215,7 @@ int skb_ether_to_p80211(struct wlandevice *wlandev, u32 ethconv,
> "Host en-WEP failed, dropping frame (%d).\n",
> foo);
> kfree(p80211_wep->data);
> + p80211_wep->data = NULL;
> return 2;
> }
> fc |= cpu_to_le16(WLAN_SET_FC_ISWEP(1));
> --
> 2.39.3 (Apple Git-146)
>
Hi Mikhail,
I cannot apply your patch. Reason is that wlan-ng was removed some month
ago.
Are you using the right git repo?
git remote show origin
* remote origin
Fetch URL: git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
...
git branch -a
my branch: staging-testing
Thanks for your support.
Bye Philipp
prev parent reply other threads:[~2024-09-16 4:12 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-15 18:58 [PATCH] staging: wlan-ng: Fix potential double free in skb_ether_to_p80211 Mikhail Arkhipov
2024-09-16 4:12 ` philipp hortmann [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZuewJ3ZvWdrCFZVt@kernel-710 \
--to=philipp.g.hortmann@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
--cc=lvc-project@linuxtesting.org \
--cc=lynnl.yet@gmail.com \
--cc=m.arhipov@rosa.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.