Commit:
0ec8d6f mwifiex: fix use-after-free in beacon_ie processing
introduced an issue where the "bss" pointer was dereferenced
in mwifiex_bss_start() before a NULL check. Fix this.
Signed-off-by: Paul Stewart <pstew@chromium.org>
BUG=chrome-os-partner:19392
TEST=Change AP SSID while associating.
Change-Id: Iff8e02719f2c2e4f6560fab2dcfc65620c15ac31
Reviewed-on: https://gerrit.chromium.org/gerrit/51015
Commit-Queue: Paul Stewart <pstew@chromium.org>
Reviewed-by: Paul Stewart <pstew@chromium.org>
Tested-by: Paul Stewart <pstew@chromium.org>
struct mwifiex_adapter *adapter = priv->adapter;
struct mwifiex_bssdescriptor *bss_desc = NULL;
u8 *beacon_ie = NULL;
- size_t beacon_ie_len = bss->len_information_elements;
+ size_t beacon_ie_len;
priv->scan_block = false;
return -ENOMEM;
}
+ beacon_ie_len = bss->len_information_elements;
beacon_ie = kmemdup(bss->information_elements, beacon_ie_len,
GFP_KERNEL);
if (!beacon_ie) {