diff options
| author | Paul Stewart <pstew@google.com> | 2016-06-10 08:29:55 -0700 |
|---|---|---|
| committer | Paul Stewart <pstew@google.com> | 2016-06-10 08:36:24 -0700 |
| commit | 748cf248afe1d09a4c6973615343fd1192084ea3 (patch) | |
| tree | 76e8ec50a10ba80fdb96d33c9477f6d3f64d19d0 | |
| parent | d6cd7d7f4dd46af125c09ef3ca37f11426b27302 (diff) | |
| download | android_external_wpa_supplicant_8-748cf248afe1d09a4c6973615343fd1192084ea3.tar.gz android_external_wpa_supplicant_8-748cf248afe1d09a4c6973615343fd1192084ea3.tar.bz2 android_external_wpa_supplicant_8-748cf248afe1d09a4c6973615343fd1192084ea3.zip | |
Fix use-after-free in qca_nl80211_get_features
Any data accessible from nla_data is freed before the
send_and_recv_msgs function returns, therefore we need to allocate
space for info.flags ourselves.
BUG=29237626
Change-Id: I622d1c624cce785ca7ed76f5c0ea8c5011c9be45
| -rw-r--r-- | src/drivers/driver_nl80211_capa.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/src/drivers/driver_nl80211_capa.c b/src/drivers/driver_nl80211_capa.c index 14a93a05..004d88e3 100644 --- a/src/drivers/driver_nl80211_capa.c +++ b/src/drivers/driver_nl80211_capa.c @@ -820,8 +820,12 @@ static int features_info_handler(struct nl_msg *msg, void *arg) attr = tb_vendor[QCA_WLAN_VENDOR_ATTR_FEATURE_FLAGS]; if (attr) { - info->flags = nla_data(attr); - info->flags_len = nla_len(attr); + int len = nla_len(attr); + info->flags = os_malloc(len); + if (info->flags != NULL) { + os_memcpy(info->flags, nla_data(attr), len); + info->flags_len = len; + } } attr = tb_vendor[QCA_WLAN_VENDOR_ATTR_CONCURRENCY_CAPA]; if (attr) @@ -884,6 +888,7 @@ static void qca_nl80211_get_features(struct wpa_driver_nl80211_data *drv) if (check_feature(QCA_WLAN_VENDOR_FEATURE_OFFCHANNEL_SIMULTANEOUS, &info)) drv->capa.flags |= WPA_DRIVER_FLAGS_OFFCHANNEL_SIMULTANEOUS; + os_free(info.flags); } #endif /* CONFIG_DRIVER_NL80211_QCA */ |