mac80211: sanity check for null SSID

While associated we should never have empty SSID, but life can be full
of surprises, and is allways better to print a warning than crash.

Before memcpy() in ieee80211_probereq_get() check ssid_len instead of
ssid pointer, sice pointer it always passed by "ssidie + 2" expression
to send probe functions, so practically never can be NULL.

Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 93d484c8a0b82d641e940e2e6f827f561c5e805b..12ca9820689afdaabdfbf9f651c2fec9b3b33cd6 100644 (file)
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -1518,9 +1518,16 @@ static void ieee80211_mgd_probe_ap_send(struct ieee80211_sub_if_data *sdata)
                ifmgd->nullfunc_failed = false;
                ieee80211_send_nullfunc(sdata->local, sdata, 0);
        } else {
+               int ssid_len;
+
                ssid = ieee80211_bss_get_ie(ifmgd->associated, WLAN_EID_SSID);
-               ieee80211_send_probe_req(sdata, dst, ssid + 2, ssid[1], NULL, 0,
-                                        (u32) -1, true, false);
+               if (WARN_ON_ONCE(ssid == NULL))
+                       ssid_len = 0;
+               else
+                       ssid_len = ssid[1];
+
+               ieee80211_send_probe_req(sdata, dst, ssid + 2, ssid_len, NULL,
+                                        0, (u32) -1, true, false);
        }
 
        ifmgd->probe_send_count++;
@@ -1596,6 +1603,7 @@ struct sk_buff *ieee80211_ap_probereq_get(struct ieee80211_hw *hw,
        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
        struct sk_buff *skb;
        const u8 *ssid;
+       int ssid_len;
 
        if (WARN_ON(sdata->vif.type != NL80211_IFTYPE_STATION))
                return NULL;
@@ -1606,8 +1614,13 @@ struct sk_buff *ieee80211_ap_probereq_get(struct ieee80211_hw *hw,
                return NULL;
 
        ssid = ieee80211_bss_get_ie(ifmgd->associated, WLAN_EID_SSID);
+       if (WARN_ON_ONCE(ssid == NULL))
+               ssid_len = 0;
+       else
+               ssid_len = ssid[1];
+
        skb = ieee80211_build_probe_req(sdata, ifmgd->associated->bssid,
-                                       (u32) -1, ssid + 2, ssid[1],
+                                       (u32) -1, ssid + 2, ssid_len,
                                        NULL, 0, true);
 
        return skb;

diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 14a01c81f959383e7994870c2885a6a4976c130b..e0b89780b47271eea52b9687a6927208b04e2364 100644 (file)
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -2602,7 +2602,7 @@ struct sk_buff *ieee80211_probereq_get(struct ieee80211_hw *hw,
        pos = skb_put(skb, ie_ssid_len);
        *pos++ = WLAN_EID_SSID;
        *pos++ = ssid_len;
-       if (ssid)
+       if (ssid_len)
                memcpy(pos, ssid, ssid_len);
        pos += ssid_len;