From patchwork Wed Sep 14 12:42:36 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bob Copeland X-Patchwork-Id: 9331337 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 58A7E6077A for ; Wed, 14 Sep 2016 12:45:14 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 484392623C for ; Wed, 14 Sep 2016 12:45:14 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 398B22848A; Wed, 14 Sep 2016 12:45:14 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.4 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 216B92623C for ; Wed, 14 Sep 2016 12:45:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1760261AbcINMpL (ORCPT ); Wed, 14 Sep 2016 08:45:11 -0400 Received: from mail-it0-f66.google.com ([209.85.214.66]:34071 "EHLO mail-it0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755879AbcINMpK (ORCPT ); Wed, 14 Sep 2016 08:45:10 -0400 Received: by mail-it0-f66.google.com with SMTP id 186so1438871itf.1 for ; Wed, 14 Sep 2016 05:45:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bobcopeland-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id; bh=MhxQZYqFgmKZlLBkt9yJIulEuO2E0MEpieFZ+d4xPj8=; b=gRoEFFJBuazu88myI/iNWlQ6/U4W6Rbo7fDHidJD14Xic3tKS+dHgOhRyo5NgH+VZS mQcGVj8DgZEPFNpR499wJ3RpCHvL8OE55t/77X4yMablsuXauywcL/W+hNG2x4PnxDN0 BJ6pql7RUxfQtTOZwdW4jB40Z8PbBzhQ41w8a+ed+ZMsm7WLR3gd9qdApVLl83cX5K9j l8smntwAFabRdI5XMG7ncsO54ER77ScqC8z6rPfW5Tmjy/0AUxB5HIM/UdiGCuhW0nuC 10a7Vnk1rd4o9btbtgsSpKi6i76K9oKD8mTq/2P9EmK797ltlspvrs9wvMb3IjYUqf+5 8bHg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=MhxQZYqFgmKZlLBkt9yJIulEuO2E0MEpieFZ+d4xPj8=; b=NvPWs079lUWDIa+aPsBqdDVJDfgXhMxqiqj3sVGUNVKSiuCp2cCYdR332ENClGH/Zs m74GC8MtijT1rLilhH88bf+KBOd/zopD/HhbfExVfQNYGOrhXsbrH9Ei8iSHC1DxJRGF tozF06HqwtCdlJR8X1t+Mz/QHlA4bQrCpwtXFUxvBOq8BLmZNYHjGG6r5XzWmXi1TDIV E5CgHKf54oMTf1zu1Aev4ZZ7NOcRegaBVeKSrkRGaA+/O7layR2rPFz1KwGDSPM/lwyk glaRZzGlX1xUKHVF3/Q20O20nDD54QGx+wurOtEMre8LUc4lTLciU35uSrCzN8CnXEBp WRDQ== X-Gm-Message-State: AE9vXwPsZew1bB0tTjI0v0UpMkRMFTkdkRSjePCCYR95TcC4K35Cx/jGLIRbVUonP0pbYg== X-Received: by 10.107.145.10 with SMTP id t10mr6600312iod.42.1473857109075; Wed, 14 Sep 2016 05:45:09 -0700 (PDT) Received: from hash (CPE0018e7fe5281-CM18593342f28f.cpe.net.cable.rogers.com. [99.236.145.239]) by smtp.gmail.com with ESMTPSA id v69sm1466183itc.1.2016.09.14.05.45.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 14 Sep 2016 05:45:08 -0700 (PDT) Received: from bob by hash with local (Exim 4.84_2) (envelope-from ) id 1bk9Wb-0000WJ-0D; Wed, 14 Sep 2016 08:42:49 -0400 From: Bob Copeland To: linux-wireless@vger.kernel.org Cc: Bob Copeland , Amitkumar Karwar , Nishant Sarmukadam Subject: [PATCH] mwifiex: fix error handling in mwifiex_create_custom_regdomain Date: Wed, 14 Sep 2016 08:42:36 -0400 Message-Id: <20160914124236.1951-1-me@bobcopeland.com> X-Mailer: git-send-email 2.9.0 Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP smatch reports: sta_cmdresp.c:1053 mwifiex_create_custom_regdomain() warn: possible memory leak of 'regd' Indeed, mwifiex_create_custom_regdomain() returns NULL in the case that channel is missing in the TLV without freeing regd. Moreover, some other error paths in this function return ERR_PTR values which are assigned without checking to the regd field in the mwifiex_adapter struct. The latter is only null-checked where used. Fix by freeing regd in the error path, and only update priv->adapter->regd if the returned pointer is valid. Cc: Amitkumar Karwar Cc: Nishant Sarmukadam Signed-off-by: Bob Copeland --- Note, compile-tested only. It might make sense to instead remove the ERR_PTR stuff if there is no plan to report them further up the call stack but I just went for the minimal patch here. --- drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c index 3344a26..8548027 100644 --- a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c +++ b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c @@ -1049,8 +1049,10 @@ mwifiex_create_custom_regdomain(struct mwifiex_private *priv, enum nl80211_band band; chan = *buf++; - if (!chan) + if (!chan) { + kfree(regd); return NULL; + } chflags = *buf++; band = (chan <= 14) ? NL80211_BAND_2GHZ : NL80211_BAND_5GHZ; freq = ieee80211_channel_to_frequency(chan, band); @@ -1116,6 +1118,7 @@ static int mwifiex_ret_chan_region_cfg(struct mwifiex_private *priv, u16 action = le16_to_cpu(reg->action); u16 tlv, tlv_buf_len, tlv_buf_left; struct mwifiex_ie_types_header *head; + struct ieee80211_regdomain *regd; u8 *tlv_buf; if (action != HostCmd_ACT_GEN_GET) @@ -1137,10 +1140,10 @@ static int mwifiex_ret_chan_region_cfg(struct mwifiex_private *priv, mwifiex_dbg_dump(priv->adapter, CMD_D, "CHAN:", (u8 *)head + sizeof(*head), tlv_buf_len); - priv->adapter->regd = - mwifiex_create_custom_regdomain(priv, - (u8 *)head + - sizeof(*head), tlv_buf_len); + regd = mwifiex_create_custom_regdomain(priv, + (u8 *)head + sizeof(*head), tlv_buf_len); + if (!IS_ERR(regd)) + priv->adapter->regd = regd; break; }