From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 49DA4C433E1 for ; Thu, 20 Aug 2020 12:02:43 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 2005822B4D for ; Thu, 20 Aug 2020 12:02:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597924963; bh=MQEJ/9DrOxqDIpB95RQkneAyDumTBMEidzaunoBkBAA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=oJt11Qs1CZDaQfQuemj0JzN5qB0hnZW1cTnYcUumvrRX85Zr3HsNbJJeTxwqsKf1m gGJc+GvOOssEV0gR8y7NWo/pHK2mDlwG5aJQ5Gke3421qVLFb2TmP8Xy0yEzXsGpjr QHqW5xdT94KZYi+HfgMbhNmyx6L6onrF3U0WwKZo= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727792AbgHTMCl (ORCPT ); Thu, 20 Aug 2020 08:02:41 -0400 Received: from mail.kernel.org ([198.145.29.99]:46310 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730437AbgHTJ7q (ORCPT ); Thu, 20 Aug 2020 05:59:46 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 40701207FB; Thu, 20 Aug 2020 09:59:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597917585; bh=MQEJ/9DrOxqDIpB95RQkneAyDumTBMEidzaunoBkBAA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=qwtxM0ol2v2ytflgZx2HhH+cgCPz1l2jK5KXRpeYbW1W0kl4zkB/5cN4wYOKf0KAi QBcx1kJfoys+xrbQY5afeHoYtUzW6k/2UsZb4aDsNsqVZg6xnM6001SBtuoGSRyUcF nRP1z0W1uZHk6eORTfkNa5Twtu6hWU+djXoGvB6g= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Julian Squires , Johannes Berg , Sasha Levin Subject: [PATCH 4.9 066/212] cfg80211: check vendor command doit pointer before use Date: Thu, 20 Aug 2020 11:20:39 +0200 Message-Id: <20200820091605.703291165@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200820091602.251285210@linuxfoundation.org> References: <20200820091602.251285210@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Julian Squires [ Upstream commit 4052d3d2e8f47a15053320bbcbe365d15610437d ] In the case where a vendor command does not implement doit, and has no flags set, doit would not be validated and a NULL pointer dereference would occur, for example when invoking the vendor command via iw. I encountered this while developing new vendor commands. Perhaps in practice it is advisable to always implement doit along with dumpit, but it seems reasonable to me to always check doit anyway, not just when NEED_WDEV. Signed-off-by: Julian Squires Link: https://lore.kernel.org/r/20200706211353.2366470-1-julian@cipht.net Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin --- net/wireless/nl80211.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 0048f90944ddf..e107754e29a77 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -11317,13 +11317,13 @@ static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info) if (!wdev->netdev && !wdev->p2p_started) return -ENETDOWN; } - - if (!vcmd->doit) - return -EOPNOTSUPP; } else { wdev = NULL; } + if (!vcmd->doit) + return -EOPNOTSUPP; + if (info->attrs[NL80211_ATTR_VENDOR_DATA]) { data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]); len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]); -- 2.25.1