| Message ID | 1435085145-9668-1-git-send-email-linville@tuxdriver.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Kalle Valo |
| Headers | show |
Hi John, > From: John W. Linville [mailto:linville@tuxdriver.com] > Sent: Wednesday, June 24, 2015 12:16 AM > To: linux-wireless@vger.kernel.org > Cc: Amitkumar Karwar; Avinash Patil; Kalle Valo; John W. Linville > Subject: [PATCH] mwifiex: avoid freeing improper pointer in > mwifiex_set_wowlan_mef_entry > > mwifiex_set_wowlan_mef_entry attempts to free a passed-in pointer in > case of an error. The only caller (mwifiex_set_mef_filter) passes that > pointer as an offset into allocated memory, so any attempt to free that > will not be the actual allocated pointer. > > Address this by changing mwifiex_set_wowlan_mef_entry to not do any > free, and to cause mwifiex_set_mef_filter to do the appropriate free if > the call to mwifiex_set_wowlan_mef_entry fails. > > Coverity CID #1295879 > > Signed-off-by: John W. Linville <linville@tuxdriver.com> Acked-by: Amitkumar Karwar <akarwar@marvell.com> Thanks, Amitkumar -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
> mwifiex_set_wowlan_mef_entry attempts to free a passed-in pointer in > case of an error. The only caller (mwifiex_set_mef_filter) passes that > pointer as an offset into allocated memory, so any attempt to free that > will not be the actual allocated pointer. > > Address this by changing mwifiex_set_wowlan_mef_entry to not do any > free, and to cause mwifiex_set_mef_filter to do the appropriate free if > the call to mwifiex_set_wowlan_mef_entry fails. > > Coverity CID #1295879 > > Signed-off-by: John W. Linville <linville@tuxdriver.com> > Acked-by: Amitkumar Karwar <akarwar@marvell.com> Thanks, applied to wireless-drivers-next.git. Kalle Valo -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/net/wireless/mwifiex/cfg80211.c b/drivers/net/wireless/mwifiex/cfg80211.c index b15e4c7acbec..3f6762dfc947 100644 --- a/drivers/net/wireless/mwifiex/cfg80211.c +++ b/drivers/net/wireless/mwifiex/cfg80211.c @@ -2954,7 +2954,6 @@ static int mwifiex_set_wowlan_mef_entry(struct mwifiex_private *priv, MWIFIEX_MEF_MAX_BYTESEQ)) { mwifiex_dbg(priv->adapter, ERROR, "Pattern not supported\n"); - kfree(mef_entry); return -EOPNOTSUPP; } @@ -3036,9 +3035,12 @@ static int mwifiex_set_mef_filter(struct mwifiex_private *priv, mwifiex_set_auto_arp_mef_entry(priv, &mef_entry[0]); - if (wowlan->n_patterns || wowlan->magic_pkt) + if (wowlan->n_patterns || wowlan->magic_pkt) { ret = mwifiex_set_wowlan_mef_entry(priv, &mef_cfg, &mef_entry[1], wowlan); + if (ret) + goto err; + } if (!mef_cfg.criteria) mef_cfg.criteria = MWIFIEX_CRITERIA_BROADCAST | @@ -3048,6 +3050,8 @@ static int mwifiex_set_mef_filter(struct mwifiex_private *priv, ret = mwifiex_send_cmd(priv, HostCmd_CMD_MEF_CFG, HostCmd_ACT_GEN_SET, 0, &mef_cfg, true); + +err: kfree(mef_entry); return ret; }
mwifiex_set_wowlan_mef_entry attempts to free a passed-in pointer in case of an error. The only caller (mwifiex_set_mef_filter) passes that pointer as an offset into allocated memory, so any attempt to free that will not be the actual allocated pointer. Address this by changing mwifiex_set_wowlan_mef_entry to not do any free, and to cause mwifiex_set_mef_filter to do the appropriate free if the call to mwifiex_set_wowlan_mef_entry fails. Coverity CID #1295879 Signed-off-by: John W. Linville <linville@tuxdriver.com> --- drivers/net/wireless/mwifiex/cfg80211.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)