CHROMIUM: mwifiex: Dereference bss only if it is non-null

Commit:
  0ec8d6f mwifiex: fix use-after-free in beacon_ie processing

introduced an issue where the "bss" pointer was dereferenced
in mwifiex_bss_start() before a NULL check.  Fix this.

Signed-off-by: Paul Stewart <pstew@chromium.org>
BUG=chrome-os-partner:19392
TEST=Change AP SSID while associating.

Change-Id: Iff8e02719f2c2e4f6560fab2dcfc65620c15ac31
Reviewed-on: https://gerrit.chromium.org/gerrit/51015
Commit-Queue: Paul Stewart <pstew@chromium.org>
Reviewed-by: Paul Stewart <pstew@chromium.org>
Tested-by: Paul Stewart <pstew@chromium.org>

diff --git a/drivers/net/wireless/mwifiex/sta_ioctl.c b/drivers/net/wireless/mwifiex/sta_ioctl.c
index 20ed125..1474a02 100644 (file)
--- a/drivers/net/wireless/mwifiex/sta_ioctl.c
+++ b/drivers/net/wireless/mwifiex/sta_ioctl.c
@@ -230,7 +230,7 @@ int mwifiex_bss_start(struct mwifiex_private *priv, struct cfg80211_bss *bss,
        struct mwifiex_adapter *adapter = priv->adapter;
        struct mwifiex_bssdescriptor *bss_desc = NULL;
        u8 *beacon_ie = NULL;
-       size_t beacon_ie_len = bss->len_information_elements;
+       size_t beacon_ie_len;
 
        priv->scan_block = false;
 
@@ -245,6 +245,7 @@ int mwifiex_bss_start(struct mwifiex_private *priv, struct cfg80211_bss *bss,
                        return -ENOMEM;
                }
 
+               beacon_ie_len = bss->len_information_elements;
                beacon_ie = kmemdup(bss->information_elements, beacon_ie_len,
                                    GFP_KERNEL);
                if (!beacon_ie) {