Re: [PATCH 1/5] staging: rtl8188eu: fix potential leak in rtw_wx_read32()

Mon, 28 Apr 2014 20:12:07 -0700 

On 04/28/2014 03:56 PM, Christian Engelmayer wrote:

Function rtw_wx_read32() dynamically allocates a temporary buffer that is not
freed in all error paths. Use a centralized exit path and make sure that all
memory is freed correctly. Detected by Coverity - CID 1077711.

Signed-off-by: Christian Engelmayer <cenge...@gmx.at>


Acked-by: Larry Finger <larry.fin...@lwfinger.net>

This Ack is valid for all 5 patches.

Larry


---
  drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 15 +++++++++------
  1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c 
b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
index cf30a08..45b47e2 100644
--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
@@ -2154,6 +2154,7 @@ static int rtw_wx_read32(struct net_device *dev,
        u32 bytes;
        u8 *ptmp;
        int rv;
+       int ret = 0;

        padapter = (struct adapter *)rtw_netdev_priv(dev);
        p = &wrqu->data;
@@ -2163,16 +2164,16 @@ static int rtw_wx_read32(struct net_device *dev,
                return -ENOMEM;

        if (copy_from_user(ptmp, p->pointer, len)) {
-               kfree(ptmp);
-               return -EFAULT;
+               ret = -EFAULT;
+               goto exit;
        }

        bytes = 0;
        addr = 0;
        rv = sscanf(ptmp, "%d,%x", &bytes, &addr);
        if (rv != 2) {
-               kfree(ptmp);
-               return -EINVAL;
+               ret = -EINVAL;
+               goto exit;
        }

        switch (bytes) {
@@ -2190,12 +2191,14 @@ static int rtw_wx_read32(struct net_device *dev,
                break;
        default:
                DBG_88E(KERN_INFO "%s: usage> read [bytes],[address(hex)]\n", 
__func__);
-               return -EINVAL;
+               ret = -EINVAL;
+               goto exit;
        }
        DBG_88E(KERN_INFO "%s: addr = 0x%08X data =%s\n", __func__, addr, 
extra);

+exit:
        kfree(ptmp);
-       return 0;
+       return ret;
  }

  static int rtw_wx_write32(struct net_device *dev,



_______________________________________________
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Reply via email to