From: Aleksei Vetrov Date: Tue, 29 Oct 2024 13:22:11 +0000 (+0000) Subject: wifi: nl80211: fix bounds checker error in nl80211_parse_sched_scan X-Git-Tag: v6.11.11~134 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d4ef643ea78c59c22546046c25dc6e7206267672;p=thirdparty%2Fkernel%2Fstable.git wifi: nl80211: fix bounds checker error in nl80211_parse_sched_scan commit 9c46a3a5b394d6d123866aa44436fc2cd342eb0d upstream. The channels array in the cfg80211_scan_request has a __counted_by attribute attached to it, which points to the n_channels variable. This attribute is used in bounds checking, and if it is not set before the array is filled, then the bounds sanitizer will issue a warning or a kernel panic if CONFIG_UBSAN_TRAP is set. This patch sets the size of allocated memory as the initial value for n_channels. It is updated with the actual number of added elements after the array is filled. Fixes: aa4ec06c455d ("wifi: cfg80211: use __counted_by where appropriate") Cc: stable@vger.kernel.org Signed-off-by: Aleksei Vetrov Reviewed-by: Jeff Johnson Link: https://patch.msgid.link/20241029-nl80211_parse_sched_scan-bounds-checker-fix-v2-1-c804b787341f@google.com Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 3766efacfd64f..89e792ece3a1e 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -9776,6 +9776,7 @@ nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev, request = kzalloc(size, GFP_KERNEL); if (!request) return ERR_PTR(-ENOMEM); + request->n_channels = n_channels; if (n_ssids) request->ssids = (void *)request +