From: Johannes Berg Date: Tue, 1 Dec 2015 22:15:26 +0000 (+0100) Subject: mac80211: reject zero cookie in mgmt-tx/roc cancel X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=7d37fcd409199f76da522e6f6670a354ac468002;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git mac80211: reject zero cookie in mgmt-tx/roc cancel When cancelling, you can cancel "any" (first in list) mgmt-tx or remain-on-channel operation by using the value 0 for the cookie along with the *opposite* operation, i.e. * cancel the first mgmt-tx by cancelling roc with 0 cookie * cancel the first roc by cancelling mgmt-tx with 0 cookie This isn't really that bad since userspace should only pass cookies that we gave it, but could lead to hard-to-debug issues so better prevent it and reject zero values since we never hand those out. Signed-off-by: Johannes Berg --- diff --git a/net/mac80211/offchannel.c b/net/mac80211/offchannel.c index cfd3356e26fd..6719b27aad66 100644 --- a/net/mac80211/offchannel.c +++ b/net/mac80211/offchannel.c @@ -697,6 +697,9 @@ static int ieee80211_cancel_roc(struct ieee80211_local *local, struct ieee80211_roc_work *roc, *tmp, *found = NULL; int ret; + if (!cookie) + return -ENOENT; + mutex_lock(&local->mtx); list_for_each_entry_safe(roc, tmp, &local->roc_list, list) { if (!mgmt_tx && roc->cookie != cookie)