net: wireless: bcmdhd: fix use-after-free in _dhd_pno_get_for_batch()
Greg Hackmann [Mon, 23 Jan 2017 09:41:30 +0000 (14:41 +0530)]
Bug: 32838767
Bug 1858126
CVE-2017-0430 (A-32838767)

Change-Id: I3676556002c3bc63762919e540f68d13959b2af4
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1292382
(cherry picked from commit 2a408e9f998e0013906c58f7a2314bacf47ec672)
Reviewed-on: http://git-master/r/1299528
(cherry picked from commit 088ac085161e19efa60fddb9c20bd1e838c8f5e3)
Reviewed-on: http://git-master/r/1311425
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

drivers/net/wireless/bcmdhd_88/dhd_pno.c

index c06a1a4..43b9126 100644 (file)
@@ -1346,9 +1346,10 @@ _dhd_pno_get_for_batch(dhd_pub_t *dhd, char *buf, int bufsize, int reason)
                list_del(&pscan_results->list);
                MFREE(dhd->osh, pscan_results, SCAN_RESULTS_SIZE);
                _params->params_batch.get_batch.top_node_cnt--;
+       } else {
+               /* increase total scan count using current scan count */
+               _params->params_batch.get_batch.tot_scan_cnt += pscan_results->cnt_header;
        }
-       /* increase total scan count using current scan count */
-       _params->params_batch.get_batch.tot_scan_cnt += pscan_results->cnt_header;
 
        if (buf && bufsize) {
                /* This is a first try to get batching results */