summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJouni Malinen <jouni.malinen@atheros.com>2009-03-20 17:57:36 +0200
committerJohn W. Linville <linville@tuxdriver.com>2009-03-20 16:01:57 -0400
commitf3f9258678b081c3ef2f036aef450cd2053ef419 (patch)
treea1c619e776cdea71943429dffbbaa87b0a7c7999
parent170ebf85160dd128e1c4206cc197cce7d1424705 (diff)
downloadlwn-f3f9258678b081c3ef2f036aef450cd2053ef419.tar.gz
lwn-f3f9258678b081c3ef2f036aef450cd2053ef419.zip
nl80211: Check that function pointer != NULL before using it
NL80211_CMD_GET_MESH_PARAMS and NL80211_CMD_SET_MESH_PARAMS handlers did not verify whether a function pointer is NULL (not supported by the driver) before trying to call the function. The former nl80211 command is available for unprivileged users, too, so this can potentially allow normal users to kill networking (or worse..) if mac80211 is built without CONFIG_MAC80211_MESH=y. Signed-off-by: Jouni Malinen <jouni.malinen@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r--net/wireless/nl80211.c11
1 files changed, 11 insertions, 0 deletions
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 1e728fff474e..31b807af3235 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -1908,6 +1908,11 @@ static int nl80211_get_mesh_params(struct sk_buff *skb,
if (err)
return err;
+ if (!drv->ops->get_mesh_params) {
+ err = -EOPNOTSUPP;
+ goto out;
+ }
+
/* Get the mesh params */
rtnl_lock();
err = drv->ops->get_mesh_params(&drv->wiphy, dev, &cur_params);
@@ -2017,6 +2022,11 @@ static int nl80211_set_mesh_params(struct sk_buff *skb, struct genl_info *info)
if (err)
return err;
+ if (!drv->ops->set_mesh_params) {
+ err = -EOPNOTSUPP;
+ goto out;
+ }
+
/* This makes sure that there aren't more than 32 mesh config
* parameters (otherwise our bitfield scheme would not work.) */
BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
@@ -2061,6 +2071,7 @@ static int nl80211_set_mesh_params(struct sk_buff *skb, struct genl_info *info)
err = drv->ops->set_mesh_params(&drv->wiphy, dev, &cfg, mask);
rtnl_unlock();
+ out:
/* cleanup */
cfg80211_put_dev(drv);
dev_put(dev);