Message ID | 20210329110021.7497-1-lyl2019@mail.ustc.edu.cn (mailing list archive) |
---|---|
State | Awaiting Upstream |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | wireless: hostap: Fix a use after free in hostap_80211_rx | expand |
Context | Check | Description |
---|---|---|
netdev/tree_selection | success | Not a local patch |
Lv Yunlong <lyl2019@mail.ustc.edu.cn> wrote: > Function hostap_80211_rx() calls prism2_rx_80211(..,skb,..). In > prism2_rx_80211, i found that the skb could be freed by dev_kfree_skb_any(skb) > and return 0. Also could be freed by netif_rx(skb) when netif_rx return > NET_RX_DROP. > > But after called the prism2_rx_80211(..,skb,..), the skb is used by skb->len. > > As the new skb->len is returned by prism2_rx_80211(), my patch uses a variable > len to repalce skb->len. According to another useage of prism2_rx_80211 in > monitor_rx(). > > Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn> Can someone help with reviewing the patch?
diff --git a/drivers/net/wireless/intersil/hostap/hostap_80211_rx.c b/drivers/net/wireless/intersil/hostap/hostap_80211_rx.c index 61be822f90b5..a45ee7b35533 100644 --- a/drivers/net/wireless/intersil/hostap/hostap_80211_rx.c +++ b/drivers/net/wireless/intersil/hostap/hostap_80211_rx.c @@ -1016,10 +1016,10 @@ void hostap_80211_rx(struct net_device *dev, struct sk_buff *skb, if (local->hostapd && local->apdev) { /* Send IEEE 802.1X frames to the user * space daemon for processing */ - prism2_rx_80211(local->apdev, skb, rx_stats, + int len = prism2_rx_80211(local->apdev, skb, rx_stats, PRISM2_RX_MGMT); local->apdevstats.rx_packets++; - local->apdevstats.rx_bytes += skb->len; + local->apdevstats.rx_bytes += len; goto rx_exit; } } else if (!frame_authorized) {
Function hostap_80211_rx() calls prism2_rx_80211(..,skb,..). In prism2_rx_80211, i found that the skb could be freed by dev_kfree_skb_any(skb) and return 0. Also could be freed by netif_rx(skb) when netif_rx return NET_RX_DROP. But after called the prism2_rx_80211(..,skb,..), the skb is used by skb->len. As the new skb->len is returned by prism2_rx_80211(), my patch uses a variable len to repalce skb->len. According to another useage of prism2_rx_80211 in monitor_rx(). Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn> --- drivers/net/wireless/intersil/hostap/hostap_80211_rx.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)