]> git.ipfire.org Git - thirdparty/hostap.git/commitdiff
projects / thirdparty / hostap.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: bcd271b)
nl80211: Fix NULL pointer dereference for elems in NAN USD offload cases
authorNitesh Dohre <ndohre@qti.qualcomm.com>
Fri, 12 Sep 2025 09:06:59 +0000 (14:36 +0530)
committerJouni Malinen <j@w1.fi>
Mon, 22 Sep 2025 14:36:52 +0000 (17:36 +0300)
Add a NULL pointer check for the elems buffer before attempting to
dereference it with wpabuf_len(elems) and wpabuf_head(elems). This
prevents a potential NULL pointer dereference in the
nl80211_nan_publish() and nl80211_nan_subscribe() functions if NAN USD
offload is used without the element container.

Signed-off-by: Nitesh Dohre <ndohre@qti.qualcomm.com>
src/drivers/driver_nl80211.c patch | blob | blame | history

diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
index f1474e26ea7c11814876ea83f1a50cc8a5854198..c5bbe119c9a3feda47dfbe7205ef7aefcd8efd63 100644 (file)
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -13895,8 +13895,8 @@ static int nl80211_nan_publish(void *priv, const u8 *src, int publish_id,
            nla_put_u8(msg, QCA_WLAN_VENDOR_ATTR_USD_SERVICE_PROTOCOL_TYPE,
                       srv_proto_type) ||
            nla_put_u16(msg, QCA_WLAN_VENDOR_ATTR_USD_TTL, params->ttl) ||
-           nla_put(msg, QCA_WLAN_VENDOR_ATTR_USD_ELEMENT_CONTAINER,
-                   wpabuf_len(elems), wpabuf_head(elems)) ||
+           (elems && nla_put(msg, QCA_WLAN_VENDOR_ATTR_USD_ELEMENT_CONTAINER,
+                   wpabuf_len(elems), wpabuf_head(elems))) ||
            (ssi && nla_put(msg, QCA_WLAN_VENDOR_ATTR_USD_SSI,
                            wpabuf_len(ssi), wpabuf_head(ssi))))
                goto fail;
@@ -14048,8 +14048,8 @@ static int nl80211_nan_subscribe(void *priv, const u8 *src, int subscribe_id,
            nla_put_u8(msg, QCA_WLAN_VENDOR_ATTR_USD_SERVICE_PROTOCOL_TYPE,
                       srv_proto_type) ||
            nla_put_u16(msg, QCA_WLAN_VENDOR_ATTR_USD_TTL, params->ttl) ||
-           nla_put(msg, QCA_WLAN_VENDOR_ATTR_USD_ELEMENT_CONTAINER,
-                   wpabuf_len(elems), wpabuf_head(elems)) ||
+           (elems && nla_put(msg, QCA_WLAN_VENDOR_ATTR_USD_ELEMENT_CONTAINER,
+                   wpabuf_len(elems), wpabuf_head(elems))) ||
            (ssi && nla_put(msg, QCA_WLAN_VENDOR_ATTR_USD_SSI,
                            wpabuf_len(ssi), wpabuf_head(ssi))))
                goto fail;
Unnamed repository; edit this file 'description' to name the repository.