From patchwork Thu May 17 13:25:03 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dedy Lansky X-Patchwork-Id: 10406823 X-Patchwork-Delegate: johannes@sipsolutions.net Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id C690E60155 for ; Thu, 17 May 2018 13:25:14 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B38A0256E6 for ; Thu, 17 May 2018 13:25:14 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A86322582C; Thu, 17 May 2018 13:25:14 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2DC9625D9E for ; Thu, 17 May 2018 13:25:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752133AbeEQNZM (ORCPT ); Thu, 17 May 2018 09:25:12 -0400 Received: from smtp.codeaurora.org ([198.145.29.96]:50054 "EHLO smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752073AbeEQNZL (ORCPT ); Thu, 17 May 2018 09:25:11 -0400 Received: by smtp.codeaurora.org (Postfix, from userid 1000) id 31BD660C66; Thu, 17 May 2018 13:25:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1526563511; bh=rxj9KRTfnK0vqt7+yDppzkndoRhjg+mC9MOkAwwr2fE=; h=From:To:Subject:Date:From; b=Opy87CwxXGL8NDCZycSF3eK7e0dZWpDelVUgMu2peLuUGgM9nuxEMOHnMOyQQ4c5T X71+t9b2qWpYR3/k0Gjniparh8n5AqOlGWG6UqZ8LIUESUNeWWQhzq6/rTn4abMbPT OBTRAqTcmaBbOzO5rfxhSsZr6qmb+3f2jfDuXiNM= Received: from DLANSKY (unknown [185.23.60.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: dlansky@smtp.codeaurora.org) by smtp.codeaurora.org (Postfix) with ESMTPSA id 4EC3060A4E for ; Thu, 17 May 2018 13:25:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1526563507; bh=rxj9KRTfnK0vqt7+yDppzkndoRhjg+mC9MOkAwwr2fE=; h=From:To:Subject:Date:From; b=EAmzA209l4JJTMpee6CTCsLKmxPwwa8YWfLY2Q5S4Re8S8mtOqt77k9h+a0Mwt7pC dfZDXOcsnbD3BfDHb1W2Pr1KzNfojn9KNWwsGPVIxcCnxjBjBhOqkqmGCoBkcCT/0N TdZhTX0etJFTEFRhd2EbM4i9+icd+xoQiXEjR6Wg= DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 4EC3060A4E Authentication-Results: pdx-caf-mail.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=none smtp.mailfrom=dlansky@codeaurora.org From: "Dedy Lansky" To: Subject: [PATCH] nl80211: fix nlmsg allocation in cfg80211_ft_event Date: Thu, 17 May 2018 16:25:03 +0300 Message-ID: <000901d3ede2$78a3aa20$69eafe60$@codeaurora.org> MIME-Version: 1.0 X-Mailer: Microsoft Outlook 16.0 Content-Language: en-us Thread-Index: AdPt4ghzH0eRPtA9RD2oSrq6iaiV4w== Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Dedy Lansky Allocation size of nlmsg in cfg80211_ft_event is based on ric_ies_len and doesn't take into account ies_len. This leads to NL80211_CMD_FT_EVENT message construction failure in case ft_event contains large enough ies buffer. Add ies_len to the nlmsg allocation size. Signed-off-by: Dedy Lansky --- net/wireless/nl80211.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index afbe510..64afd04 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -15755,7 +15755,8 @@ void cfg80211_ft_event(struct net_device *netdev, if (!ft_event->target_ap) return; - msg = nlmsg_new(100 + ft_event->ric_ies_len, GFP_KERNEL); + msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len, + GFP_KERNEL); if (!msg) return;