wifi: cfg80211: wext: set ssids=NULL for passive scans

jmberg-intel · gregkh · commit 7b0579711ac3 · 2024-07-25T09:53:41.000+02:00
commit 0941772 upstream. In nl80211, we always set the ssids of a scan request to NULL when n_ssids==0 (passive scan). Drivers have relied on this behaviour in the past, so we fixed it in 6 GHz scan requests as well, and added a warning so we'd have assurance the API would always be called that way. syzbot found that wext doesn't ensure that, so we reach the check and trigger the warning. Fix the wext code to set the ssids pointer to NULL when there are none. Reported-by: syzbot+cd6135193ba6bb9ad158@syzkaller.appspotmail.com Fixes: f7a8b10 ("wifi: cfg80211: fix 6 GHz scan request building") Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
@@ -3492,8 +3492,10 @@ int cfg80211_wext_siwscan(struct net_device *dev,
 			memcpy(creq->ssids[0].ssid, wreq->essid, wreq->essid_len);
 			creq->ssids[0].ssid_len = wreq->essid_len;
 		}
-		if (wreq->scan_type == IW_SCAN_TYPE_PASSIVE)
+		if (wreq->scan_type == IW_SCAN_TYPE_PASSIVE) {
+			creq->ssids = NULL;
 			creq->n_ssids = 0;
+		}
 	}
 
 	for (i = 0; i < NUM_NL80211_BANDS; i++)

Original file line number	Diff line number	Diff line change
`@@ -3492,8 +3492,10 @@ int cfg80211_wext_siwscan(struct net_device *dev,`
`3492`	`3492`	`memcpy(creq->ssids[0].ssid, wreq->essid, wreq->essid_len);`
`3493`	`3493`	`creq->ssids[0].ssid_len = wreq->essid_len;`
`3494`	`3494`	`}`
`3495`		`- if (wreq->scan_type == IW_SCAN_TYPE_PASSIVE)`
	`3495`	`+ if (wreq->scan_type == IW_SCAN_TYPE_PASSIVE) {`
	`3496`	`+ creq->ssids = NULL;`
`3496`	`3497`	`creq->n_ssids = 0;`
	`3498`	`+ }`
`3497`	`3499`	`}`
`3498`	`3500`
`3499`	`3501`	`for (i = 0; i < NUM_NL80211_BANDS; i++)`