mac80211_hwsim: Fix memory leak in hwsim_new_radio_nl()
authorBen Hutchings <ben.hutchings@codethink.co.uk>
Fri, 10 Nov 2017 18:48:50 +0000 (18:48 +0000)
committerJohannes Berg <johannes.berg@intel.com>
Mon, 20 Nov 2017 15:57:15 +0000 (16:57 +0100)
hwsim_new_radio_nl() now copies the name attribute in order to add a
null-terminator.  mac80211_hwsim_new_radio() (indirectly) copies it
again into the net_device structure, so the first copy is not used or
freed later.  Free the first copy before returning.

Fixes: ff4dd73dd2b4 ("mac80211_hwsim: check HWSIM_ATTR_RADIO_NAME length")
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
drivers/net/wireless/mac80211_hwsim.c

index 7c3600643c7fdb540e71696e928acedaee3ccccf..10b075a46b266218c53d1e5674c1789e1e0f3d80 100644 (file)
@@ -3108,6 +3108,7 @@ static int hwsim_new_radio_nl(struct sk_buff *msg, struct genl_info *info)
 {
        struct hwsim_new_radio_params param = { 0 };
        const char *hwname = NULL;
+       int ret;
 
        param.reg_strict = info->attrs[HWSIM_ATTR_REG_STRICT_REG];
        param.p2p_device = info->attrs[HWSIM_ATTR_SUPPORT_P2P_DEVICE];
@@ -3147,7 +3148,9 @@ static int hwsim_new_radio_nl(struct sk_buff *msg, struct genl_info *info)
                param.regd = hwsim_world_regdom_custom[idx];
        }
 
-       return mac80211_hwsim_new_radio(info, &param);
+       ret = mac80211_hwsim_new_radio(info, &param);
+       kfree(hwname);
+       return ret;
 }
 
 static int hwsim_del_radio_nl(struct sk_buff *msg, struct genl_info *info)