wifi: cfg80211: fix BSS refcounting bugs
There are multiple refcounting bugs related to multi-BSSID: - In bss_ref_get(), if the BSS has a hidden_beacon_bss, then the bss pointer is overwritten before checking for the transmitted BSS, which is clearly wrong. Fix this by using the bss_from_pub() macro. - In cfg80211_bss_update() we copy the transmitted_bss pointer from tmp into new, but then if we release new, we'll unref it erroneously. We already set the pointer and ref it, but need to NULL it since it was copied from the tmp data. - In cfg80211_inform_single_bss_data(), if adding to the non- transmitted list fails, we unlink the BSS and yet still we return it, but this results in returning an entry without a reference. We shouldn't return it anyway if it was broken enough to not get added there. This fixes CVE-2022-42720. Reported-by:Sönke Huster <shuster@seemoo.tu-darmstadt.de> Tested-by:
Johannes Berg <johannes.berg@intel.com>
Loading
-
mentioned in commit 75200217
-
mentioned in commit 1e18328c
-
mentioned in commit 098413cf
-
mentioned in commit 6e8ef4b9
-
mentioned in commit a0fa7e47
-
mentioned in commit 695773a8
-
mentioned in commit 2949fb24
-
mentioned in commit 6cf9891a
-
mentioned in commit 68c05549
-
mentioned in commit 5f34459f
-
mentioned in commit 72cade13
-
mentioned in commit d8ebf9ee
-
mentioned in commit ef49d703
-
mentioned in commit 307c04ab
-
mentioned in commit 51412fe2
-
mentioned in commit 5d095710
-
mentioned in commit 42f2908e
Please sign in to comment