From: Johannes Berg johannes.berg@intel.com
mainline inclusion from mainline-v6.9-rc6 commit 801ea33ae82d6a9d954074fbcf8ea9d18f1543a7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9U96L CVE: CVE-2024-36941
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
----------------------------------------------------
If the parsing fails, we can dereference a NULL pointer here.
Cc: stable@vger.kernel.org Fixes: be29b99a9b51 ("cfg80211/nl80211: Add packet coalesce support") Reviewed-by: Miriam Rachel Korenblit miriam.rachel.korenblit@intel.com Link: https://msgid.link/20240418105220.b328f80406e7.Id75d961050deb05b3e4e354e0248... Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Zhang Zekun zhangzekun11@huawei.com --- net/wireless/nl80211.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index de9580f13914..5acb25f6d5a8 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -11475,6 +11475,8 @@ static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info) error: for (i = 0; i < new_coalesce.n_rules; i++) { tmp_rule = &new_coalesce.rules[i]; + if (!tmp_rule) + continue; for (j = 0; j < tmp_rule->n_patterns; j++) kfree(tmp_rule->patterns[j].mask); kfree(tmp_rule->patterns);
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/8935 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/V...
FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/8935 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/V...