diff options
author | Johannes Berg <johannes.berg@intel.com> | 2015-12-02 01:15:26 +0300 |
---|---|---|
committer | Johannes Berg <johannes.berg@intel.com> | 2015-12-04 16:43:32 +0300 |
commit | 7d37fcd409199f76da522e6f6670a354ac468002 (patch) | |
tree | 6f645a02217b84c7b2a16147708a300985109f22 /net/mac80211 | |
parent | 959eb2fd70df86a089e9e31be654462235952a24 (diff) | |
download | linux-7d37fcd409199f76da522e6f6670a354ac468002.tar.xz |
mac80211: reject zero cookie in mgmt-tx/roc cancel
When cancelling, you can cancel "any" (first in list) mgmt-tx
or remain-on-channel operation by using the value 0 for the
cookie along with the *opposite* operation, i.e.
* cancel the first mgmt-tx by cancelling roc with 0 cookie
* cancel the first roc by cancelling mgmt-tx with 0 cookie
This isn't really that bad since userspace should only pass
cookies that we gave it, but could lead to hard-to-debug
issues so better prevent it and reject zero values since we
never hand those out.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'net/mac80211')
-rw-r--r-- | net/mac80211/offchannel.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/net/mac80211/offchannel.c b/net/mac80211/offchannel.c index cfd3356e26fd..6719b27aad66 100644 --- a/net/mac80211/offchannel.c +++ b/net/mac80211/offchannel.c @@ -697,6 +697,9 @@ static int ieee80211_cancel_roc(struct ieee80211_local *local, struct ieee80211_roc_work *roc, *tmp, *found = NULL; int ret; + if (!cookie) + return -ENOENT; + mutex_lock(&local->mtx); list_for_each_entry_safe(roc, tmp, &local->roc_list, list) { if (!mgmt_tx && roc->cookie != cookie) |