hak5
/
openwrt
mirror of https://github.com/hak5/openwrt.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

mac80211: brcmfmac: fix use-after-free & possible NULL pointer dereference 

1) Using fwctx variable after brcmf_fw_request_done() was executed meant
   accessing freed memory.
2) Using fwctx->completion for the wait_for_completion_timeout() call
   could reuslt in NULL pointer dereference on fw loading error or if
   brcmf_fw_request_done() was executed quickly enough.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 529c95cc15)
lede-17.01
Rafał Miłecki 2019-01-07 17:11:23 +01:00
parent 834bd86424
commit 9d4eed6837
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch
View File

@ -88,9 +88,9 @@ Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
GFP_KERNEL, fwctx,
brcmf_fw_request_code_done);
+ if (!err)
+ wait_for_completion_timeout(fwctx->completion,
+ wait_for_completion_timeout(&completion,
+ msecs_to_jiffies(5000));
+ fwctx->completion = NULL;
+
+ return err;
}