nl80211: Handle nla_memdup failures in handle_nan_filter

BugLink: https://bugs.launchpad.net/bugs/1964361
[ Upstream commit 6ad27f522cb3b210476daf63ce6ddb6568c0508b ]

As there's potential for failure of the nla_memdup(),
check the return value.

Fixes: a442b761b24b ("cfg80211: add add_nan_func / del_nan_func")
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Link: https://lore.kernel.org/r/20220301100020.3801187-1-jiasheng@iscas.ac.cn
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 16b3d0cc0bdb08163aeab1f783eb9bd30ab5ea6c..99564db14aa12dea64f5b3239e868acd08c52b1c 100644 (file)
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -13177,6 +13177,9 @@ static int handle_nan_filter(struct nlattr *attr_filter,
        i = 0;
        nla_for_each_nested(attr, attr_filter, rem) {
                filter[i].filter = nla_memdup(attr, GFP_KERNEL);
+               if (!filter[i].filter)
+                       goto err;
+
                filter[i].len = nla_len(attr);
                i++;
        }
@@ -13189,6 +13192,15 @@ static int handle_nan_filter(struct nlattr *attr_filter,
        }
 
        return 0;
+
+err:
+       i = 0;
+       nla_for_each_nested(attr, attr_filter, rem) {
+               kfree(filter[i].filter);
+               i++;
+       }
+       kfree(filter);
+       return -ENOMEM;
 }
 
 static int nl80211_nan_add_func(struct sk_buff *skb,