Commit 2551e0bf authored by weiyongjun (A)'s avatar weiyongjun (A) Committed by Stefan Bader

mac80211_hwsim: fix possible memory leak in hwsim_new_radio_nl()

CVE-2018-8087

'hwname' is malloced in hwsim_new_radio_nl() and should be freed
before leaving from the error handling cases, otherwise it will cause
memory leak.

Fixes: ff4dd73d ("mac80211_hwsim: check HWSIM_ATTR_RADIO_NAME length")
Signed-off-by: default avatarWei Yongjun <weiyongjun1@huawei.com>
Reviewed-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
(cherry-picked from 0ddcff49)
Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
Acked-by: default avatarPo-Hsu Lin <po-hsu.lin@canonical.com>
Acked-by: default avatarAndy Whitcroft <andy.whitcroft@canonical.com>
Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
parent b1b1d467
...@@ -2925,8 +2925,10 @@ static int hwsim_new_radio_nl(struct sk_buff *msg, struct genl_info *info) ...@@ -2925,8 +2925,10 @@ static int hwsim_new_radio_nl(struct sk_buff *msg, struct genl_info *info)
if (info->attrs[HWSIM_ATTR_REG_CUSTOM_REG]) { if (info->attrs[HWSIM_ATTR_REG_CUSTOM_REG]) {
u32 idx = nla_get_u32(info->attrs[HWSIM_ATTR_REG_CUSTOM_REG]); u32 idx = nla_get_u32(info->attrs[HWSIM_ATTR_REG_CUSTOM_REG]);
if (idx >= ARRAY_SIZE(hwsim_world_regdom_custom)) if (idx >= ARRAY_SIZE(hwsim_world_regdom_custom)) {
kfree(hwname);
return -EINVAL; return -EINVAL;
}
param.regd = hwsim_world_regdom_custom[idx]; param.regd = hwsim_world_regdom_custom[idx];
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment