| Message ID | 20171116173918.3030-1-colin.king@canonical.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | c4ee30a280b1b921c4b46b46312bf55c3fe9a25a |
| Delegated to: | Kalle Valo |
| Headers | show |
Colin Ian King <colin.king@canonical.com> wrote: > From: Colin Ian King <colin.king@canonical.com> > > In the cases where len is too long, the error return path fails to > kfree allocated buffers buf and usb_reg_buf. The simplest fix is to > perform the sanity check on len before the allocations to avoid having > to do the kfree'ing in the first place. > > Detected by CoverityScan, CID#1452258,1452259 ("Resource Leak") > > Fixes: 59f73e2ae185 ("rsi: check length before USB read/write register") > Signed-off-by: Colin Ian King <colin.king@canonical.com> Patch applied to wireless-drivers-next.git, thanks. c4ee30a280b1 wlcore, wl1251: fix spelling: "Couldnt" -> "Couldn't" and remove error on -ENOMEM
diff --git a/drivers/net/wireless/rsi/rsi_91x_usb.c b/drivers/net/wireless/rsi/rsi_91x_usb.c index 08730227cd18..8f8443833348 100644 --- a/drivers/net/wireless/rsi/rsi_91x_usb.c +++ b/drivers/net/wireless/rsi/rsi_91x_usb.c @@ -162,13 +162,13 @@ static int rsi_usb_reg_read(struct usb_device *usbdev, u8 *buf; int status = -ENOMEM; + if (len > RSI_USB_CTRL_BUF_SIZE) + return -EINVAL; + buf = kmalloc(RSI_USB_CTRL_BUF_SIZE, GFP_KERNEL); if (!buf) return status; - if (len > RSI_USB_CTRL_BUF_SIZE) - return -EINVAL; - status = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0), USB_VENDOR_REGISTER_READ, @@ -207,13 +207,13 @@ static int rsi_usb_reg_write(struct usb_device *usbdev, u8 *usb_reg_buf; int status = -ENOMEM; + if (len > RSI_USB_CTRL_BUF_SIZE) + return -EINVAL; + usb_reg_buf = kmalloc(RSI_USB_CTRL_BUF_SIZE, GFP_KERNEL); if (!usb_reg_buf) return status; - if (len > RSI_USB_CTRL_BUF_SIZE) - return -EINVAL; - usb_reg_buf[0] = (value & 0x00ff); usb_reg_buf[1] = (value & 0xff00) >> 8; usb_reg_buf[2] = 0x0;