mac80211: protect ieee80211_assign_beacon with next_beacon check

Even if it is not a real issue since ieee80211_set_after_csa_beacon()
or ieee80211_set_after_color_change_beacon() are run only when csa or bcc
is active, move next_beacon check before running ieee80211_assign_beacon
routine.

Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://lore.kernel.org/r/041764ed7e9781bcee66c33b41f1365aa4205932.1649327683.git.lorenzo@kernel.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index ba75253..8e14ff5 100644 (file)
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -3306,13 +3306,14 @@ static int ieee80211_set_after_csa_beacon(struct ieee80211_sub_if_data *sdata,
 
        switch (sdata->vif.type) {
        case NL80211_IFTYPE_AP:
+               if (!sdata->u.ap.next_beacon)
+                       return -EINVAL;
+
                err = ieee80211_assign_beacon(sdata, sdata->u.ap.next_beacon,
                                              NULL, NULL);
-               if (sdata->u.ap.next_beacon) {
-                       kfree(sdata->u.ap.next_beacon->mbssid_ies);
-                       kfree(sdata->u.ap.next_beacon);
-                       sdata->u.ap.next_beacon = NULL;
-               }
+               kfree(sdata->u.ap.next_beacon->mbssid_ies);
+               kfree(sdata->u.ap.next_beacon);
+               sdata->u.ap.next_beacon = NULL;
 
                if (err < 0)
                        return err;
@@ -4314,13 +4315,14 @@ ieee80211_set_after_color_change_beacon(struct ieee80211_sub_if_data *sdata,
        case NL80211_IFTYPE_AP: {
                int ret;
 
+               if (!sdata->u.ap.next_beacon)
+                       return -EINVAL;
+
                ret = ieee80211_assign_beacon(sdata, sdata->u.ap.next_beacon,
                                              NULL, NULL);
-               if (sdata->u.ap.next_beacon) {
-                       kfree(sdata->u.ap.next_beacon->mbssid_ies);
-                       kfree(sdata->u.ap.next_beacon);
-                       sdata->u.ap.next_beacon = NULL;
-               }
+               kfree(sdata->u.ap.next_beacon->mbssid_ies);
+               kfree(sdata->u.ap.next_beacon);
+               sdata->u.ap.next_beacon = NULL;
 
                if (ret < 0)
                        return ret;