wifi: cfg80211: fix a possible memory leak

Message ID 20221101201931.119136-1-dinguyen@kernel.org
State New
Headers
Series wifi: cfg80211: fix a possible memory leak |

Commit Message

Dinh Nguyen Nov. 1, 2022, 8:19 p.m. UTC
  Klockworks reported a possible memory leak when
cfg80211_inform_single_bss_data() return on an error and ies is left
allocated.

Fixes: 0e227084aee3 ("cfg80211: clarify BSS probe response vs. beacon data")
Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
---
 net/wireless/scan.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
  

Comments

Johannes Berg Dec. 1, 2022, 2:21 p.m. UTC | #1
On Tue, 2022-11-01 at 15:19 -0500, Dinh Nguyen wrote:
> Klockworks
> 
You probably mean "klocwork" :)

>  reported a possible memory leak when
> cfg80211_inform_single_bss_data() return on an error and ies is left
> allocated.
> 
> Fixes: 0e227084aee3 ("cfg80211: clarify BSS probe response vs. beacon data")
> Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
> ---
>  net/wireless/scan.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/net/wireless/scan.c b/net/wireless/scan.c
> index 806a5f1330ff..3c81dc17e079 100644
> --- a/net/wireless/scan.c
> +++ b/net/wireless/scan.c
> @@ -2015,8 +2015,10 @@ cfg80211_inform_single_bss_data(struct wiphy *wiphy,
>  
>  	signal_valid = data->chan == channel;
>  	res = cfg80211_bss_update(wiphy_to_rdev(wiphy), &tmp, signal_valid, ts);
> -	if (!res)
> +	if (!res) {
> +		kfree(ies);
>  		return NULL;
> +	}
> 

To be honest this makes me a bit nervous - the function will take over
ownership of the tmp BSS in many cases if not all. Not saying it doesn't
have a bug, but at least one case inside of it *does* free it even in
the case of returning NULL and then you have a double-free?

So I think you didn't look at the code closely enough. Please do check
and follow up with a proper fix.

johannes
  

Patch

diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 806a5f1330ff..3c81dc17e079 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -2015,8 +2015,10 @@  cfg80211_inform_single_bss_data(struct wiphy *wiphy,
 
 	signal_valid = data->chan == channel;
 	res = cfg80211_bss_update(wiphy_to_rdev(wiphy), &tmp, signal_valid, ts);
-	if (!res)
+	if (!res) {
+		kfree(ies);
 		return NULL;
+	}
 
 	if (channel->band == NL80211_BAND_60GHZ) {
 		bss_type = res->pub.capability & WLAN_CAPABILITY_DMG_TYPE_MASK;