mac80211: reject zero cookie in mgmt-tx/roc cancel

When cancelling, you can cancel "any" (first in list) mgmt-tx or remain-on-channel operation by using the value 0 for the cookie along with the *opposite* operation, i.e. * cancel the first mgmt-tx by cancelling roc with 0 cookie * cancel the first roc by cancelling mgmt-tx with 0 cookie This isn't really that bad since userspace should only pass cookies that we gave it, but could lead to hard-to-debug issues so better prevent it and reject zero values since we never hand those out. Signed-off-by: Johannes Berg <johannes.berg@intel.com>

mac80211: reject zero cookie in mgmt-tx/roc cancel
When cancelling, you can cancel "any" (first in list) mgmt-tx or remain-on-channel operation by using the value 0 for the cookie along with the *opposite* operation, i.e. * cancel the first mgmt-tx by cancelling roc with 0 cookie * cancel the first roc by cancelling mgmt-tx with 0 cookie This isn't really that bad since userspace should only pass cookies that we gave it, but could lead to hard-to-debug issues so better prevent it and reject zero values since we never hand those out. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
7d37fcd4 · Johannes Berg · 959eb2fd · 7d37fcd4
Commit 7d37fcd4 authored Dec 01, 2015 by Johannes Berg
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

net/mac80211/offchannel.c net/mac80211/offchannel.c +3 -0

No files found.
--- a/net/mac80211/offchannel.c
+++ b/net/mac80211/offchannel.c
@@ -697,6 +697,9 @@ static int ieee80211_cancel_roc(struct ieee80211_local *local,
 	struct ieee80211_roc_work *roc, *tmp, *found = NULL;
 	int ret;

+	if (!cookie)
+		return -ENOENT;
+
 	mutex_lock(&local->mtx);
 	list_for_each_entry_safe(roc, tmp, &local->roc_list, list) {
 		if (!mgmt_tx && roc->cookie != cookie)