summaryrefslogtreecommitdiff
path: root/net/mac80211
diff options
context:
space:
mode:
authorJohannes Berg <johannes.berg@intel.com>2015-12-02 01:15:26 +0300
committerJohannes Berg <johannes.berg@intel.com>2015-12-04 16:43:32 +0300
commit7d37fcd409199f76da522e6f6670a354ac468002 (patch)
tree6f645a02217b84c7b2a16147708a300985109f22 /net/mac80211
parent959eb2fd70df86a089e9e31be654462235952a24 (diff)
downloadlinux-7d37fcd409199f76da522e6f6670a354ac468002.tar.xz
mac80211: reject zero cookie in mgmt-tx/roc cancel
When cancelling, you can cancel "any" (first in list) mgmt-tx or remain-on-channel operation by using the value 0 for the cookie along with the *opposite* operation, i.e. * cancel the first mgmt-tx by cancelling roc with 0 cookie * cancel the first roc by cancelling mgmt-tx with 0 cookie This isn't really that bad since userspace should only pass cookies that we gave it, but could lead to hard-to-debug issues so better prevent it and reject zero values since we never hand those out. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'net/mac80211')
-rw-r--r--net/mac80211/offchannel.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/net/mac80211/offchannel.c b/net/mac80211/offchannel.c
index cfd3356e26fd..6719b27aad66 100644
--- a/net/mac80211/offchannel.c
+++ b/net/mac80211/offchannel.c
@@ -697,6 +697,9 @@ static int ieee80211_cancel_roc(struct ieee80211_local *local,
struct ieee80211_roc_work *roc, *tmp, *found = NULL;
int ret;
+ if (!cookie)
+ return -ENOENT;
+
mutex_lock(&local->mtx);
list_for_each_entry_safe(roc, tmp, &local->roc_list, list) {
if (!mgmt_tx && roc->cookie != cookie)