aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorZhu Yi <yi.zhu@intel.com>2009-07-19 23:47:47 -0400
committerJohn W. Linville <linville@tuxdriver.com>2009-07-24 15:05:29 -0400
commit971ad01169398170976951d3a9479a29d231c734 (patch)
tree37012c42b226479628293a48e8faf7422d58110d
parent9c7c0cdd24e64f9aed39453a1bffc3b3fd16ef99 (diff)
iwmc3200wifi: fix a use-after-free bug
The patch fixes a use-after-free bug for cmd->seq_num; Reported-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Zhu Yi <yi.zhu@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r--drivers/net/wireless/iwmc3200wifi/hal.c16
1 files changed, 9 insertions, 7 deletions
diff --git a/drivers/net/wireless/iwmc3200wifi/hal.c b/drivers/net/wireless/iwmc3200wifi/hal.c
index ee127fe4f43f..c430418248b4 100644
--- a/drivers/net/wireless/iwmc3200wifi/hal.c
+++ b/drivers/net/wireless/iwmc3200wifi/hal.c
@@ -105,9 +105,9 @@
105#include "umac.h" 105#include "umac.h"
106#include "debug.h" 106#include "debug.h"
107 107
108static void iwm_nonwifi_cmd_init(struct iwm_priv *iwm, 108static int iwm_nonwifi_cmd_init(struct iwm_priv *iwm,
109 struct iwm_nonwifi_cmd *cmd, 109 struct iwm_nonwifi_cmd *cmd,
110 struct iwm_udma_nonwifi_cmd *udma_cmd) 110 struct iwm_udma_nonwifi_cmd *udma_cmd)
111{ 111{
112 INIT_LIST_HEAD(&cmd->pending); 112 INIT_LIST_HEAD(&cmd->pending);
113 113
@@ -118,7 +118,7 @@ static void iwm_nonwifi_cmd_init(struct iwm_priv *iwm,
118 cmd->seq_num = iwm->nonwifi_seq_num; 118 cmd->seq_num = iwm->nonwifi_seq_num;
119 udma_cmd->seq_num = cpu_to_le16(cmd->seq_num); 119 udma_cmd->seq_num = cpu_to_le16(cmd->seq_num);
120 120
121 cmd->seq_num = iwm->nonwifi_seq_num++; 121 iwm->nonwifi_seq_num++;
122 iwm->nonwifi_seq_num %= UMAC_NONWIFI_SEQ_NUM_MAX; 122 iwm->nonwifi_seq_num %= UMAC_NONWIFI_SEQ_NUM_MAX;
123 123
124 if (udma_cmd->resp) 124 if (udma_cmd->resp)
@@ -130,6 +130,8 @@ static void iwm_nonwifi_cmd_init(struct iwm_priv *iwm,
130 cmd->buf.len = 0; 130 cmd->buf.len = 0;
131 131
132 memcpy(&cmd->udma_cmd, udma_cmd, sizeof(*udma_cmd)); 132 memcpy(&cmd->udma_cmd, udma_cmd, sizeof(*udma_cmd));
133
134 return cmd->seq_num;
133} 135}
134 136
135u16 iwm_alloc_wifi_cmd_seq(struct iwm_priv *iwm) 137u16 iwm_alloc_wifi_cmd_seq(struct iwm_priv *iwm)
@@ -369,7 +371,7 @@ int iwm_hal_send_target_cmd(struct iwm_priv *iwm,
369 const void *payload) 371 const void *payload)
370{ 372{
371 struct iwm_nonwifi_cmd *cmd; 373 struct iwm_nonwifi_cmd *cmd;
372 int ret; 374 int ret, seq_num;
373 375
374 cmd = kzalloc(sizeof(struct iwm_nonwifi_cmd), GFP_KERNEL); 376 cmd = kzalloc(sizeof(struct iwm_nonwifi_cmd), GFP_KERNEL);
375 if (!cmd) { 377 if (!cmd) {
@@ -377,7 +379,7 @@ int iwm_hal_send_target_cmd(struct iwm_priv *iwm,
377 return -ENOMEM; 379 return -ENOMEM;
378 } 380 }
379 381
380 iwm_nonwifi_cmd_init(iwm, cmd, udma_cmd); 382 seq_num = iwm_nonwifi_cmd_init(iwm, cmd, udma_cmd);
381 383
382 if (cmd->udma_cmd.opcode == UMAC_HDI_OUT_OPCODE_WRITE || 384 if (cmd->udma_cmd.opcode == UMAC_HDI_OUT_OPCODE_WRITE ||
383 cmd->udma_cmd.opcode == UMAC_HDI_OUT_OPCODE_WRITE_PERSISTENT) { 385 cmd->udma_cmd.opcode == UMAC_HDI_OUT_OPCODE_WRITE_PERSISTENT) {
@@ -393,7 +395,7 @@ int iwm_hal_send_target_cmd(struct iwm_priv *iwm,
393 if (ret < 0) 395 if (ret < 0)
394 return ret; 396 return ret;
395 397
396 return cmd->seq_num; 398 return seq_num;
397} 399}
398 400
399static void iwm_build_lmac_hdr(struct iwm_priv *iwm, struct iwm_lmac_hdr *hdr, 401static void iwm_build_lmac_hdr(struct iwm_priv *iwm, struct iwm_lmac_hdr *hdr,