commit 748cf248afe1d09a4c6973615343fd1192084ea3
author Paul Stewart <pstew@google.com> Fri Jun 10 08:29:55 2016 -0700
committer Paul Stewart <pstew@google.com> Fri Jun 10 08:36:24 2016 -0700
tree 76e8ec50a10ba80fdb96d33c9477f6d3f64d19d0
parent d6cd7d7f4dd46af125c09ef3ca37f11426b27302

Fix use-after-free in qca_nl80211_get_features

Any data accessible from nla_data is freed before the
send_and_recv_msgs function returns, therefore we need to allocate
space for info.flags ourselves.

BUG=29237626

Change-Id: I622d1c624cce785ca7ed76f5c0ea8c5011c9be45

src/drivers/driver_nl80211_capa.c

diff --git a/src/drivers/driver_nl80211_capa.c b/src/drivers/driver_nl80211_capa.c
index 14a93a0..004d88e 100644
--- a/src/drivers/driver_nl80211_capa.c
+++ b/src/drivers/driver_nl80211_capa.c
@@ -820,8 +820,12 @@
 
 		attr = tb_vendor[QCA_WLAN_VENDOR_ATTR_FEATURE_FLAGS];
 		if (attr) {
-			info->flags = nla_data(attr);
-			info->flags_len = nla_len(attr);
+			int len = nla_len(attr);
+			info->flags = os_malloc(len);
+			if (info->flags != NULL) {
+				os_memcpy(info->flags, nla_data(attr), len);
+				info->flags_len = len;
+			}
 		}
 		attr = tb_vendor[QCA_WLAN_VENDOR_ATTR_CONCURRENCY_CAPA];
 		if (attr)
@@ -884,6 +888,7 @@
 	if (check_feature(QCA_WLAN_VENDOR_FEATURE_OFFCHANNEL_SIMULTANEOUS,
 			  &info))
 		drv->capa.flags |= WPA_DRIVER_FLAGS_OFFCHANNEL_SIMULTANEOUS;
+	os_free(info.flags);
 }
 
 #endif /* CONFIG_DRIVER_NL80211_QCA */