nl80211: Fix use-after-free in qca_nl80211_get_features()

Any data accessible from nla_data() is freed before the
send_and_recv_msgs() function returns, therefore we need to allocate
space for info.flags ourselves.

Signed-off-by: Paul Stewart <pstew@google.com>

diff --git a/src/drivers/driver_nl80211_capa.c b/src/drivers/driver_nl80211_capa.c
index e1b4b64..1ebbdaa 100644 (file)
--- a/src/drivers/driver_nl80211_capa.c
+++ b/src/drivers/driver_nl80211_capa.c
@@ -904,8 +904,12 @@ static int features_info_handler(struct nl_msg *msg, void *arg)
 
                attr = tb_vendor[QCA_WLAN_VENDOR_ATTR_FEATURE_FLAGS];
                if (attr) {
-                       info->flags = nla_data(attr);
-                       info->flags_len = nla_len(attr);
+                       int len = nla_len(attr);
+                       info->flags = os_malloc(len);
+                       if (info->flags != NULL) {
+                               os_memcpy(info->flags, nla_data(attr), len);
+                               info->flags_len = len;
+                       }
                }
                attr = tb_vendor[QCA_WLAN_VENDOR_ATTR_CONCURRENCY_CAPA];
                if (attr)
@@ -968,6 +972,7 @@ static void qca_nl80211_get_features(struct wpa_driver_nl80211_data *drv)
        if (check_feature(QCA_WLAN_VENDOR_FEATURE_OFFCHANNEL_SIMULTANEOUS,
                          &info))
                drv->capa.flags |= WPA_DRIVER_FLAGS_OFFCHANNEL_SIMULTANEOUS;
+       os_free(info.flags);
 }
 
 #endif /* CONFIG_DRIVER_NL80211_QCA */