nl80211: Fix use-after-free in qca_nl80211_get_features()

Any data accessible from nla_data() is freed before the send_and_recv_msgs() function returns, therefore we need to allocate space for info.flags ourselves. CRs-Fixed: 1041556 Git-commit: fdc1188a85bb1e2c0a03e38724f6cd126ff374ad Git-repo : git://w1.fi/srv/git/hostap.git Change-Id: I2336830800ece1ea770f57710dc8be2a9a2c4c56 Signed-off-by: Paul Stewart <pstew@google.com>
author: Paul Stewart <pstew@chromium.org> 2016-06-10 08:29:55 -0700
committer: Linux Build Service Account <lnxbuild@localhost> 2016-08-24 08:07:44 -0600
commit: ade78076f83d16282ffc2588fa6f307653711bcc (patch)
tree: 8e7fcefcddd22767fea3c3554d9a0b8a679f8127
parent: 8a61dfcbafd5167a46b803802bad2b87a7d80592 (diff)
download: android_external_wpa_supplicant_8-ade78076f83d16282ffc2588fa6f307653711bcc.tar.gz
android_external_wpa_supplicant_8-ade78076f83d16282ffc2588fa6f307653711bcc.tar.bz2
android_external_wpa_supplicant_8-ade78076f83d16282ffc2588fa6f307653711bcc.zip
1 files changed, 7 insertions, 2 deletions
diff --git a/src/drivers/driver_nl80211_capa.c b/src/drivers/driver_nl80211_capa.c
index 2b66a805..cc37deee 100644
--- a/src/drivers/driver_nl80211_capa.c
+++ b/src/drivers/driver_nl80211_capa.c
@@ -820,8 +820,12 @@ static int features_info_handler(struct nl_msg *msg, void *arg)
 
 		attr = tb_vendor[QCA_WLAN_VENDOR_ATTR_FEATURE_FLAGS];
 		if (attr) {
-			info->flags = nla_data(attr);
-			info->flags_len = nla_len(attr);
+			int len = nla_len(attr);
+			info->flags = os_malloc(len);
+			if (info->flags != NULL) {
+				os_memcpy(info->flags, nla_data(attr), len);
+				info->flags_len = len;
+			}
 		}
 		attr = tb_vendor[QCA_WLAN_VENDOR_ATTR_CONCURRENCY_CAPA];
 		if (attr)
@@ -886,6 +890,7 @@ static void qca_nl80211_get_features(struct wpa_driver_nl80211_data *drv)
 		drv->capa.flags |= WPA_DRIVER_FLAGS_OFFCHANNEL_SIMULTANEOUS;
 	if (check_feature(QCA_WLAN_VENDOR_FEATURE_P2P_LISTEN_OFFLOAD, &info))
 		drv->capa.flags |= WPA_DRIVER_FLAGS_P2P_LISTEN_OFFLOAD;
+	os_free(info.flags);
 }
 
 #endif /* CONFIG_DRIVER_NL80211_QCA */
author	Paul Stewart <pstew@chromium.org>	2016-06-10 08:29:55 -0700
committer	Linux Build Service Account <lnxbuild@localhost>	2016-08-24 08:07:44 -0600
commit	ade78076f83d16282ffc2588fa6f307653711bcc (patch)
tree	8e7fcefcddd22767fea3c3554d9a0b8a679f8127
parent	8a61dfcbafd5167a46b803802bad2b87a7d80592 (diff)
download	android_external_wpa_supplicant_8-ade78076f83d16282ffc2588fa6f307653711bcc.tar.gz android_external_wpa_supplicant_8-ade78076f83d16282ffc2588fa6f307653711bcc.tar.bz2 android_external_wpa_supplicant_8-ade78076f83d16282ffc2588fa6f307653711bcc.zip