mwifiex: fix potential NULL dereference and use after free (1dcd9429) · Commits · 戴 / test

There are two defects: (1) passing a NULL bss to mwifiex_save_hidden_ssid_channels will result in NULL dereference, (2) using bss after dropping the reference to it via cfg80211_put_bss. To fix them, the patch moves the buggy code to the branch that bss is not NULL and puts it before cfg80211_put_bss. Signed-off-by:

Pan Bian <bianpan2016@163.com> Signed-off-by:

Kalle Valo <kvalo@codeaurora.org>

drivers/net/wireless/marvell/mwifiex/scan.c

+10 −8

Original line number	Diff line number	Diff line
		@@ -1882,15 +1882,17 @@ mwifiex_parse_single_response_buf(struct mwifiex_private priv, u8 *bss_info,
		ETH_ALEN))
		mwifiex_update_curr_bss_params(priv,
		bss);
		cfg80211_put_bss(priv->wdev.wiphy, bss);
		}

		if ((chan->flags & IEEE80211_CHAN_RADAR) \|\|
		(chan->flags & IEEE80211_CHAN_NO_IR)) {
		mwifiex_dbg(adapter, INFO,
		"radar or passive channel %d\n",
		channel);
		mwifiex_save_hidden_ssid_channels(priv, bss);
		mwifiex_save_hidden_ssid_channels(priv,
		bss);
		}

		cfg80211_put_bss(priv->wdev.wiphy, bss);
		}
		}
		} else {

Admin message