From 7d37fcd409199f76da522e6f6670a354ac468002 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Tue, 1 Dec 2015 23:15:26 +0100 Subject: [PATCH] mac80211: reject zero cookie in mgmt-tx/roc cancel When cancelling, you can cancel "any" (first in list) mgmt-tx or remain-on-channel operation by using the value 0 for the cookie along with the *opposite* operation, i.e. * cancel the first mgmt-tx by cancelling roc with 0 cookie * cancel the first roc by cancelling mgmt-tx with 0 cookie This isn't really that bad since userspace should only pass cookies that we gave it, but could lead to hard-to-debug issues so better prevent it and reject zero values since we never hand those out. Signed-off-by: Johannes Berg --- net/mac80211/offchannel.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/mac80211/offchannel.c b/net/mac80211/offchannel.c index cfd3356e26fd..6719b27aad66 100644 --- a/net/mac80211/offchannel.c +++ b/net/mac80211/offchannel.c @@ -697,6 +697,9 @@ static int ieee80211_cancel_roc(struct ieee80211_local *local, struct ieee80211_roc_work *roc, *tmp, *found = NULL; int ret; + if (!cookie) + return -ENOENT; + mutex_lock(&local->mtx); list_for_each_entry_safe(roc, tmp, &local->roc_list, list) { if (!mgmt_tx && roc->cookie != cookie) -- 2.30.2