[PATCH] staging: wlan-ng: Fix potential double free in skb_ether_to_p80211

[PATCH] staging: wlan-ng: Fix potential double free in skb_ether_to_p80211

[Mikhail Arkhipov]

Fix a potential double free of the p80211_wep->data pointer in the
skb_ether_to_p80211 function. When encryption fails, the function frees
p80211_wep->data but does not set the pointer to NULL, leading to the
possibility of double freeing the memory if the caller attempts to
free it again (calling function in p80211netdev.c (line 385) attempts
to free this memory again using kfree_sensitive at line 432)

Set p80211_wep->data to NULL after freeing it to ensure that further
attempts to free this pointer are safely handled, preventing a
double free error.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: b5956dd26f84 ("drivers/staging/wlan-ng/p80211conv.c: fixed a
 potential memory leak")
Signed-off-by: Mikhail Arkhipov <m.arhipov@rosa.ru>
---
 drivers/staging/wlan-ng/p80211conv.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/staging/wlan-ng/p80211conv.c b/drivers/staging/wlan-ng/p80211conv.c
index 0ff5fda81b05..b2e224e1e33f 100644
--- a/drivers/staging/wlan-ng/p80211conv.c
+++ b/drivers/staging/wlan-ng/p80211conv.c
@@ -215,6 +215,7 @@ int skb_ether_to_p80211(struct wlandevice *wlandev, u32 ethconv,
 				    "Host en-WEP failed, dropping frame (%d).\n",
 				    foo);
 			kfree(p80211_wep->data);
+			p80211_wep->data = NULL;
 			return 2;
 		}
 		fc |= cpu_to_le16(WLAN_SET_FC_ISWEP(1));
-- 
2.39.3 (Apple Git-146)

Re: [PATCH] staging: wlan-ng: Fix potential double free in skb_ether_to_p80211

[philipp hortmann]

On Sun, Sep 15, 2024 at 09:58:04PM +0300, Mikhail Arkhipov wrote:
> Fix a potential double free of the p80211_wep->data pointer in the
> skb_ether_to_p80211 function. When encryption fails, the function frees
> p80211_wep->data but does not set the pointer to NULL, leading to the
> possibility of double freeing the memory if the caller attempts to
> free it again (calling function in p80211netdev.c (line 385) attempts
> to free this memory again using kfree_sensitive at line 432)
> 
> Set p80211_wep->data to NULL after freeing it to ensure that further
> attempts to free this pointer are safely handled, preventing a
> double free error.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: b5956dd26f84 ("drivers/staging/wlan-ng/p80211conv.c: fixed a
>  potential memory leak")
> Signed-off-by: Mikhail Arkhipov <m.arhipov@rosa.ru>
> ---
>  drivers/staging/wlan-ng/p80211conv.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/staging/wlan-ng/p80211conv.c b/drivers/staging/wlan-ng/p80211conv.c
> index 0ff5fda81b05..b2e224e1e33f 100644
> --- a/drivers/staging/wlan-ng/p80211conv.c
> +++ b/drivers/staging/wlan-ng/p80211conv.c
> @@ -215,6 +215,7 @@ int skb_ether_to_p80211(struct wlandevice *wlandev, u32 ethconv,
>  				    "Host en-WEP failed, dropping frame (%d).\n",
>  				    foo);
>  			kfree(p80211_wep->data);
> +			p80211_wep->data = NULL;
>  			return 2;
>  		}
>  		fc |= cpu_to_le16(WLAN_SET_FC_ISWEP(1));
> -- 
> 2.39.3 (Apple Git-146)
> 
Hi Mikhail,

I cannot apply your patch. Reason is that wlan-ng was removed some month
ago.

Are you using the right git repo?

git remote show origin
* remote origin
  Fetch URL: git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
...
git branch -a
my branch: staging-testing

Thanks for your support.

Bye Philipp