From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Date: Tue, 1 Mar 2022 10:00:20 +0000 (+0800)
Subject: nl80211: Handle nla_memdup failures in handle_nan_filter
X-Git-Tag: v4.19.233~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=19e164396ba9f1f11e35cfc575c07b23a83ee5b9;p=thirdparty%2Fkernel%2Fstable.git

nl80211: Handle nla_memdup failures in handle_nan_filter

[ Upstream commit 6ad27f522cb3b210476daf63ce6ddb6568c0508b ]

As there's potential for failure of the nla_memdup(),
check the return value.

Fixes: a442b761b24b ("cfg80211: add add_nan_func / del_nan_func")
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Link: https://lore.kernel.org/r/20220301100020.3801187-1-jiasheng@iscas.ac.cn
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 04c4fd376e1d5..c5806f46f6c95 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -11791,6 +11791,9 @@ static int handle_nan_filter(struct nlattr *attr_filter,
 	i = 0;
 	nla_for_each_nested(attr, attr_filter, rem) {
 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
+		if (!filter[i].filter)
+			goto err;
+
 		filter[i].len = nla_len(attr);
 		i++;
 	}
@@ -11803,6 +11806,15 @@ static int handle_nan_filter(struct nlattr *attr_filter,
 	}
 
 	return 0;
+
+err:
+	i = 0;
+	nla_for_each_nested(attr, attr_filter, rem) {
+		kfree(filter[i].filter);
+		i++;
+	}
+	kfree(filter);
+	return -ENOMEM;
 }
 
 static int nl80211_nan_add_func(struct sk_buff *skb,