nl80211: check nla_put_* return values

Coverity pointed out that in a few functions we don't check the return value of the nla_put_*() calls. Most of these are fairly harmless because the input isn't very dynamic and controlled by the kernel, but the pattern is simply wrong, so fix this. Signed-off-by: Johannes Berg <johannes.berg@intel.com>

nl80211: check nla_put_* return values
Coverity pointed out that in a few functions we don't check the return value of the nla_put_*() calls. Most of these are fairly harmless because the input isn't very dynamic and controlled by the kernel, but the pattern is simply wrong, so fix this. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
ae917c9f · Johannes Berg · 18db594a · ae917c9f
Commit ae917c9f authored Oct 25, 2013 by Johannes Berg
Hide whitespace changes
Inline Side-by-side

Showing with 30 additions and 22 deletions

net/wireless/nl80211.c net/wireless/nl80211.c +30 -22

No files found.
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -9633,8 +9633,9 @@ static int nl80211_add_scan_req(struct sk_buff *msg,
 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
 		goto nla_put_failure;
-	if (req->flags)
+	if (req->flags &&
-		nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags);
+	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
+		goto nla_put_failure;
 	return 0;
 nla_put_failure:
@@ -11118,16 +11119,18 @@ void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
 				wakeup->pattern_idx))
 			goto free_msg;
-		if (wakeup->tcp_match)
+		if (wakeup->tcp_match &&
-			nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH);
+		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
+			goto free_msg;
-		if (wakeup->tcp_connlost)
+		if (wakeup->tcp_connlost &&
-			nla_put_flag(msg,
+		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
-				     NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST);
+			goto free_msg;
-		if (wakeup->tcp_nomoretokens)
+		if (wakeup->tcp_nomoretokens &&
-			nla_put_flag(msg,
+		    nla_put_flag(msg,
-				NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS);
+				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
+			goto free_msg;
 		if (wakeup->packet) {
 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
@@ -11263,24 +11266,29 @@ void cfg80211_ft_event(struct net_device *netdev,
 		return;
 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
-	if (!hdr) {
+	if (!hdr)
-		nlmsg_free(msg);
+		goto out;
-		return;
-	}
+	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
+	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
+	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
+		goto out;
-	nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx);
+	if (ft_event->ies &&
-	nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex);
+	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
-	nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap);
+		goto out;
-	if (ft_event->ies)
+	if (ft_event->ric_ies &&
-		nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies);
+	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
-	if (ft_event->ric_ies)
+		    ft_event->ric_ies))
-		nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
+		goto out;
-			ft_event->ric_ies);
 	genlmsg_end(msg, hdr);
 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
 				NL80211_MCGRP_MLME, GFP_KERNEL);
+	return;
+ out:
+	nlmsg_free(msg);
 }
 EXPORT_SYMBOL(cfg80211_ft_event);