From a19dbc71aecdaf1d7a3e23fdbd6f827ed5a36c1a Mon Sep 17 00:00:00 2001 From: Nitesh Dohre Date: Fri, 12 Sep 2025 14:36:59 +0530 Subject: [PATCH] nl80211: Fix NULL pointer dereference for elems in NAN USD offload cases Add a NULL pointer check for the elems buffer before attempting to dereference it with wpabuf_len(elems) and wpabuf_head(elems). This prevents a potential NULL pointer dereference in the nl80211_nan_publish() and nl80211_nan_subscribe() functions if NAN USD offload is used without the element container. Signed-off-by: Nitesh Dohre --- src/drivers/driver_nl80211.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c index f1474e26e..c5bbe119c 100644 --- a/src/drivers/driver_nl80211.c +++ b/src/drivers/driver_nl80211.c @@ -13895,8 +13895,8 @@ static int nl80211_nan_publish(void *priv, const u8 *src, int publish_id, nla_put_u8(msg, QCA_WLAN_VENDOR_ATTR_USD_SERVICE_PROTOCOL_TYPE, srv_proto_type) || nla_put_u16(msg, QCA_WLAN_VENDOR_ATTR_USD_TTL, params->ttl) || - nla_put(msg, QCA_WLAN_VENDOR_ATTR_USD_ELEMENT_CONTAINER, - wpabuf_len(elems), wpabuf_head(elems)) || + (elems && nla_put(msg, QCA_WLAN_VENDOR_ATTR_USD_ELEMENT_CONTAINER, + wpabuf_len(elems), wpabuf_head(elems))) || (ssi && nla_put(msg, QCA_WLAN_VENDOR_ATTR_USD_SSI, wpabuf_len(ssi), wpabuf_head(ssi)))) goto fail; @@ -14048,8 +14048,8 @@ static int nl80211_nan_subscribe(void *priv, const u8 *src, int subscribe_id, nla_put_u8(msg, QCA_WLAN_VENDOR_ATTR_USD_SERVICE_PROTOCOL_TYPE, srv_proto_type) || nla_put_u16(msg, QCA_WLAN_VENDOR_ATTR_USD_TTL, params->ttl) || - nla_put(msg, QCA_WLAN_VENDOR_ATTR_USD_ELEMENT_CONTAINER, - wpabuf_len(elems), wpabuf_head(elems)) || + (elems && nla_put(msg, QCA_WLAN_VENDOR_ATTR_USD_ELEMENT_CONTAINER, + wpabuf_len(elems), wpabuf_head(elems))) || (ssi && nla_put(msg, QCA_WLAN_VENDOR_ATTR_USD_SSI, wpabuf_len(ssi), wpabuf_head(ssi)))) goto fail; -- 2.47.3