diff options
author | Johannes Berg <johannes.berg@intel.com> | 2013-07-30 20:34:28 (GMT) |
---|---|---|
committer | Johannes Berg <johannes.berg@intel.com> | 2013-07-30 20:40:34 (GMT) |
commit | c319d50bfcf678c2857038276d9fab3c6646f3bf (patch) | |
tree | fcdfa7d5417adb75c7957272dbb1e5ed91da3001 /net/wireless/nl80211.c | |
parent | 23df0b731954502a9391e739b92927cee4360343 (diff) | |
download | linux-c319d50bfcf678c2857038276d9fab3c6646f3bf.tar.xz |
nl80211: fix another nl80211_fam.attrbuf race
This is similar to the race Linus had reported, but in this case
it's an older bug: nl80211_prepare_wdev_dump() uses the wiphy
index in cb->args[0] as it is and thus parses the message over
and over again instead of just once because 0 is the first valid
wiphy index. Similar code in nl80211_testmode_dump() correctly
offsets the wiphy_index by 1, do that here as well.
Cc: stable@vger.kernel.org
Reported-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'net/wireless/nl80211.c')
-rw-r--r-- | net/wireless/nl80211.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 25d217d9..3fcba69 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -441,10 +441,12 @@ static int nl80211_prepare_wdev_dump(struct sk_buff *skb, goto out_unlock; } *rdev = wiphy_to_dev((*wdev)->wiphy); - cb->args[0] = (*rdev)->wiphy_idx; + /* 0 is the first index - add 1 to parse only once */ + cb->args[0] = (*rdev)->wiphy_idx + 1; cb->args[1] = (*wdev)->identifier; } else { - struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0]); + /* subtract the 1 again here */ + struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1); struct wireless_dev *tmp; if (!wiphy) { |