[PATCH] drivers/net/wireless/mwl8k.c: avoid use-after-free

linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] drivers/net/wireless/mwl8k.c: avoid use-after-free
@ 2013-01-07  1:27 Nickolai Zeldovich
  2013-01-07  2:48 ` Lennert Buytenhek
  0 siblings, 1 reply; 5+ messages in thread
From: Nickolai Zeldovich @ 2013-01-07  1:27 UTC (permalink / raw)
  To: Lennert Buytenhek, John W. Linville
  Cc: Nickolai Zeldovich, linux-wireless, linux-kernel

Do not dereference p->station_id after kfree(cmd) because p
points into the cmd data structure.

Signed-off-by: Nickolai Zeldovich <nickolai@csail.mit.edu>
---
 drivers/net/wireless/mwl8k.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/mwl8k.c b/drivers/net/wireless/mwl8k.c
index f221b95..83564d3 100644
--- a/drivers/net/wireless/mwl8k.c
+++ b/drivers/net/wireless/mwl8k.c
@@ -4250,9 +4250,11 @@ static int mwl8k_cmd_update_stadb_add(struct ieee80211_hw *hw,
 	p->amsdu_enabled = 0;
 
 	rc = mwl8k_post_cmd(hw, &cmd->header);
+	if (!rc)
+		rc = p->station_id;
 	kfree(cmd);
 
-	return rc ? rc : p->station_id;
+	return rc;
 }
 
 static int mwl8k_cmd_update_stadb_del(struct ieee80211_hw *hw,
-- 
1.7.10.4


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] drivers/net/wireless/mwl8k.c: avoid use-after-free
  2013-01-07  1:27 [PATCH] drivers/net/wireless/mwl8k.c: avoid use-after-free Nickolai Zeldovich
@ 2013-01-07  2:48 ` Lennert Buytenhek
  2013-01-07  3:02   ` Nickolai Zeldovich
  2013-01-07  3:03   ` Julian Calaby
  0 siblings, 2 replies; 5+ messages in thread
From: Lennert Buytenhek @ 2013-01-07  2:48 UTC (permalink / raw)
  To: Nickolai Zeldovich; +Cc: John W. Linville, linux-wireless, linux-kernel

On Sun, Jan 06, 2013 at 08:27:22PM -0500, Nickolai Zeldovich wrote:

> Do not dereference p->station_id after kfree(cmd) because p
> points into the cmd data structure.

Good catch, but the patch would be better titled "mwl8k.c: avoid
having a working driver", as the station_id return code _is_ needed
by the caller in case of success.


> Signed-off-by: Nickolai Zeldovich <nickolai@csail.mit.edu>
> ---
>  drivers/net/wireless/mwl8k.c |    4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/net/wireless/mwl8k.c b/drivers/net/wireless/mwl8k.c
> index f221b95..83564d3 100644
> --- a/drivers/net/wireless/mwl8k.c
> +++ b/drivers/net/wireless/mwl8k.c
> @@ -4250,9 +4250,11 @@ static int mwl8k_cmd_update_stadb_add(struct ieee80211_hw *hw,
>  	p->amsdu_enabled = 0;
>  
>  	rc = mwl8k_post_cmd(hw, &cmd->header);
> +	if (!rc)
> +		rc = p->station_id;
>  	kfree(cmd);
>  
> -	return rc ? rc : p->station_id;
> +	return rc;
>  }
>  
>  static int mwl8k_cmd_update_stadb_del(struct ieee80211_hw *hw,
> -- 
> 1.7.10.4

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] drivers/net/wireless/mwl8k.c: avoid use-after-free
  2013-01-07  2:48 ` Lennert Buytenhek
@ 2013-01-07  3:02   ` Nickolai Zeldovich
  2013-01-07  3:19     ` Lennert Buytenhek
  2013-01-07  3:03   ` Julian Calaby
  1 sibling, 1 reply; 5+ messages in thread
From: Nickolai Zeldovich @ 2013-01-07  3:02 UTC (permalink / raw)
  To: Lennert Buytenhek; +Cc: John W. Linville, linux-wireless, linux-kernel

On Sun, Jan 6, 2013 at 9:48 PM, Lennert Buytenhek
<buytenh@wantstofly.org> wrote:
> Good catch, but the patch would be better titled "mwl8k.c: avoid
> having a working driver", as the station_id return code _is_ needed
> by the caller in case of success.

I'm not quite sure what you mean -- is there something subtle going on
here?  I believe my patch preserves the semantics of the original
code: it returns the value of p->station_id if mwl8k_post_cmd()
returned 0, but it just does so by reading p->station_id first before
calling kfree(cmd).

Nickolai.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] drivers/net/wireless/mwl8k.c: avoid use-after-free
  2013-01-07  3:02   ` Nickolai Zeldovich
@ 2013-01-07  3:19     ` Lennert Buytenhek
  0 siblings, 0 replies; 5+ messages in thread
From: Lennert Buytenhek @ 2013-01-07  3:19 UTC (permalink / raw)
  To: Nickolai Zeldovich; +Cc: John W. Linville, linux-wireless, linux-kernel

On Sun, Jan 06, 2013 at 10:02:14PM -0500, Nickolai Zeldovich wrote:

> > Good catch, but the patch would be better titled "mwl8k.c: avoid
> > having a working driver", as the station_id return code _is_ needed
> > by the caller in case of success.
> 
> I'm not quite sure what you mean -- is there something subtle going on
> here?  I believe my patch preserves the semantics of the original
> code: it returns the value of p->station_id if mwl8k_post_cmd()
> returned 0, but it just does so by reading p->station_id first before
> calling kfree(cmd).

Oops!  You're right.  Sorry about that.

/me goes to order some crow for dinner

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] drivers/net/wireless/mwl8k.c: avoid use-after-free
  2013-01-07  2:48 ` Lennert Buytenhek
  2013-01-07  3:02   ` Nickolai Zeldovich
@ 2013-01-07  3:03   ` Julian Calaby
  1 sibling, 0 replies; 5+ messages in thread
From: Julian Calaby @ 2013-01-07  3:03 UTC (permalink / raw)
  To: Lennert Buytenhek
  Cc: Nickolai Zeldovich, John W. Linville, linux-wireless,
	linux-kernel

Hi Lennert,

On Mon, Jan 7, 2013 at 1:48 PM, Lennert Buytenhek
<buytenh@wantstofly.org> wrote:
> On Sun, Jan 06, 2013 at 08:27:22PM -0500, Nickolai Zeldovich wrote:
>
>> Do not dereference p->station_id after kfree(cmd) because p
>> points into the cmd data structure.
>
> Good catch, but the patch would be better titled "mwl8k.c: avoid
> having a working driver", as the station_id return code _is_ needed
> by the caller in case of success.

Are you sure?

>> diff --git a/drivers/net/wireless/mwl8k.c b/drivers/net/wireless/mwl8k.c
>> index f221b95..83564d3 100644
>> --- a/drivers/net/wireless/mwl8k.c
>> +++ b/drivers/net/wireless/mwl8k.c
>> @@ -4250,9 +4250,11 @@ static int mwl8k_cmd_update_stadb_add(struct ieee80211_hw *hw,
>>       p->amsdu_enabled = 0;
>>
>>       rc = mwl8k_post_cmd(hw, &cmd->header);
>> +     if (!rc)
>> +             rc = p->station_id;
>>       kfree(cmd);
>>
>> -     return rc ? rc : p->station_id;

If I'm reading this right, the removed line is equivalent to:

if( rc )
    return rc;
else
    return p->station_id;

which is equivalent to:

if( !rc )
    rc = p->station_id;

return rc;


Thanks,

-- 
Julian Calaby

Email: julian.calaby@gmail.com
Profile: http://www.google.com/profiles/julian.calaby/
.Plan: http://sites.google.com/site/juliancalaby/

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2013-01-07  3:19 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-01-07  1:27 [PATCH] drivers/net/wireless/mwl8k.c: avoid use-after-free Nickolai Zeldovich
2013-01-07  2:48 ` Lennert Buytenhek
2013-01-07  3:02   ` Nickolai Zeldovich
2013-01-07  3:19     ` Lennert Buytenhek
2013-01-07  3:03   ` Julian Calaby

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).