Commit d5414c23 authored by Aditya Pakki's avatar Aditya Pakki Committed by Kalle Valo

rsi: Fix NULL pointer dereference in kmalloc

kmalloc can fail in rsi_register_rates_channels but memcpy still attempts
to write to channels. The patch replaces these calls with kmemdup and
passes the error upstream.
Signed-off-by: default avatarAditya Pakki <pakki001@umn.edu>
Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
parent 9490c560
...@@ -188,27 +188,27 @@ bool rsi_is_cipher_wep(struct rsi_common *common) ...@@ -188,27 +188,27 @@ bool rsi_is_cipher_wep(struct rsi_common *common)
* @adapter: Pointer to the adapter structure. * @adapter: Pointer to the adapter structure.
* @band: Operating band to be set. * @band: Operating band to be set.
* *
* Return: None. * Return: int - 0 on success, negative error on failure.
*/ */
static void rsi_register_rates_channels(struct rsi_hw *adapter, int band) static int rsi_register_rates_channels(struct rsi_hw *adapter, int band)
{ {
struct ieee80211_supported_band *sbands = &adapter->sbands[band]; struct ieee80211_supported_band *sbands = &adapter->sbands[band];
void *channels = NULL; void *channels = NULL;
if (band == NL80211_BAND_2GHZ) { if (band == NL80211_BAND_2GHZ) {
channels = kmalloc(sizeof(rsi_2ghz_channels), GFP_KERNEL); channels = kmemdup(rsi_2ghz_channels, sizeof(rsi_2ghz_channels),
memcpy(channels, GFP_KERNEL);
rsi_2ghz_channels, if (!channels)
sizeof(rsi_2ghz_channels)); return -ENOMEM;
sbands->band = NL80211_BAND_2GHZ; sbands->band = NL80211_BAND_2GHZ;
sbands->n_channels = ARRAY_SIZE(rsi_2ghz_channels); sbands->n_channels = ARRAY_SIZE(rsi_2ghz_channels);
sbands->bitrates = rsi_rates; sbands->bitrates = rsi_rates;
sbands->n_bitrates = ARRAY_SIZE(rsi_rates); sbands->n_bitrates = ARRAY_SIZE(rsi_rates);
} else { } else {
channels = kmalloc(sizeof(rsi_5ghz_channels), GFP_KERNEL); channels = kmemdup(rsi_5ghz_channels, sizeof(rsi_5ghz_channels),
memcpy(channels, GFP_KERNEL);
rsi_5ghz_channels, if (!channels)
sizeof(rsi_5ghz_channels)); return -ENOMEM;
sbands->band = NL80211_BAND_5GHZ; sbands->band = NL80211_BAND_5GHZ;
sbands->n_channels = ARRAY_SIZE(rsi_5ghz_channels); sbands->n_channels = ARRAY_SIZE(rsi_5ghz_channels);
sbands->bitrates = &rsi_rates[4]; sbands->bitrates = &rsi_rates[4];
...@@ -227,6 +227,7 @@ static void rsi_register_rates_channels(struct rsi_hw *adapter, int band) ...@@ -227,6 +227,7 @@ static void rsi_register_rates_channels(struct rsi_hw *adapter, int band)
sbands->ht_cap.mcs.rx_mask[0] = 0xff; sbands->ht_cap.mcs.rx_mask[0] = 0xff;
sbands->ht_cap.mcs.tx_params = IEEE80211_HT_MCS_TX_DEFINED; sbands->ht_cap.mcs.tx_params = IEEE80211_HT_MCS_TX_DEFINED;
/* sbands->ht_cap.mcs.rx_highest = 0x82; */ /* sbands->ht_cap.mcs.rx_highest = 0x82; */
return 0;
} }
static int rsi_mac80211_hw_scan_start(struct ieee80211_hw *hw, static int rsi_mac80211_hw_scan_start(struct ieee80211_hw *hw,
...@@ -2064,11 +2065,16 @@ int rsi_mac80211_attach(struct rsi_common *common) ...@@ -2064,11 +2065,16 @@ int rsi_mac80211_attach(struct rsi_common *common)
wiphy->available_antennas_rx = 1; wiphy->available_antennas_rx = 1;
wiphy->available_antennas_tx = 1; wiphy->available_antennas_tx = 1;
rsi_register_rates_channels(adapter, NL80211_BAND_2GHZ); status = rsi_register_rates_channels(adapter, NL80211_BAND_2GHZ);
if (status)
return status;
wiphy->bands[NL80211_BAND_2GHZ] = wiphy->bands[NL80211_BAND_2GHZ] =
&adapter->sbands[NL80211_BAND_2GHZ]; &adapter->sbands[NL80211_BAND_2GHZ];
if (common->num_supp_bands > 1) { if (common->num_supp_bands > 1) {
rsi_register_rates_channels(adapter, NL80211_BAND_5GHZ); status = rsi_register_rates_channels(adapter,
NL80211_BAND_5GHZ);
if (status)
return status;
wiphy->bands[NL80211_BAND_5GHZ] = wiphy->bands[NL80211_BAND_5GHZ] =
&adapter->sbands[NL80211_BAND_5GHZ]; &adapter->sbands[NL80211_BAND_5GHZ];
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment