aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHolger Schurig <hs4233@mail.mn-solutions.de>2007-12-10 06:19:55 -0500
committerDavid S. Miller <davem@davemloft.net>2008-01-28 18:06:34 -0500
commitb6b8abe4ddec2cfb3471ea60f965a137cd4d529d (patch)
treebd666f4ecea2477fb7734abfb0e5a150549694e2
parentc3f949618d01d6c40a0267ae8c01695cc2de08e2 (diff)
libertas: fix use-after-free error
Previously, the display of subscribed events could be wrong. Signed-off-by: Holger Schurig <hs4233@mail.mn-solutions.de> Signed-off-by: David Woodhouse <dwmw2@infradead.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r--drivers/net/wireless/libertas/debugfs.c14
1 files changed, 8 insertions, 6 deletions
diff --git a/drivers/net/wireless/libertas/debugfs.c b/drivers/net/wireless/libertas/debugfs.c
index 745191a6896..c5130a2581f 100644
--- a/drivers/net/wireless/libertas/debugfs.c
+++ b/drivers/net/wireless/libertas/debugfs.c
@@ -410,30 +410,32 @@ static ssize_t lbs_threshold_read(
410 char *buf = (char *)addr; 410 char *buf = (char *)addr;
411 u8 value; 411 u8 value;
412 u8 freq; 412 u8 freq;
413 int events = 0;
413 414
414 struct cmd_ds_802_11_subscribe_event *events = kzalloc( 415 struct cmd_ds_802_11_subscribe_event *subscribed = kzalloc(
415 sizeof(struct cmd_ds_802_11_subscribe_event), 416 sizeof(struct cmd_ds_802_11_subscribe_event),
416 GFP_KERNEL); 417 GFP_KERNEL);
417 struct mrvlietypes_thresholds *got; 418 struct mrvlietypes_thresholds *got;
418 419
419 res = lbs_prepare_and_send_command(priv, 420 res = lbs_prepare_and_send_command(priv,
420 CMD_802_11_SUBSCRIBE_EVENT, CMD_ACT_GET, 421 CMD_802_11_SUBSCRIBE_EVENT, CMD_ACT_GET,
421 CMD_OPTION_WAITFORRSP, 0, events); 422 CMD_OPTION_WAITFORRSP, 0, subscribed);
422 if (res) { 423 if (res) {
423 kfree(events); 424 kfree(subscribed);
424 return res; 425 return res;
425 } 426 }
426 427
427 got = lbs_tlv_find(tlv_type, events->tlv, sizeof(events->tlv)); 428 got = lbs_tlv_find(tlv_type, subscribed->tlv, sizeof(subscribed->tlv));
428 if (got) { 429 if (got) {
429 value = got->value; 430 value = got->value;
430 freq = got->freq; 431 freq = got->freq;
432 events = le16_to_cpu(subscribed->events);
431 } 433 }
432 kfree(events); 434 kfree(subscribed);
433 435
434 if (got) 436 if (got)
435 pos += snprintf(buf, len, "%d %d %d\n", value, freq, 437 pos += snprintf(buf, len, "%d %d %d\n", value, freq,
436 !!(le16_to_cpu(events->events) & event_mask)); 438 !!(events & event_mask));
437 439
438 res = simple_read_from_buffer(userbuf, count, ppos, buf, pos); 440 res = simple_read_from_buffer(userbuf, count, ppos, buf, pos);
439 441