aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMarcel Holtmann <marcel@holtmann.org>2007-07-26 03:12:25 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2007-07-31 05:28:05 -0400
commit09c7d8293a2d1317d16ef4ddb9f6dd2553d0694e (patch)
treea459a511a60427dd75796be371b4d1b99214acec
parent566cfd8f0e049a0647f94714f913e2a975dc464f (diff)
[IRDA]: Fix rfcomm use-after-free
Adrian Bunk wrote: > Commit 8de0a15483b357d0f0b821330ec84d1660cadc4e added the following > use-after-free in net/bluetooth/rfcomm/tty.c: > > <-- snip --> > > ... > static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc *dlc) > { > ... > if (IS_ERR(dev->tty_dev)) { > list_del(&dev->list); > kfree(dev); > return PTR_ERR(dev->tty_dev); > } > ... > > <-- snip --> > > Spotted by the Coverity checker. really good catch. I fully overlooked that one. The attached patch should fix it. Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/bluetooth/rfcomm/tty.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
index 23ba61a13bdd..22a832098d44 100644
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -267,7 +267,7 @@ static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc *dlc)
267out: 267out:
268 write_unlock_bh(&rfcomm_dev_lock); 268 write_unlock_bh(&rfcomm_dev_lock);
269 269
270 if (err) { 270 if (err < 0) {
271 kfree(dev); 271 kfree(dev);
272 return err; 272 return err;
273 } 273 }
@@ -275,9 +275,10 @@ out:
275 dev->tty_dev = tty_register_device(rfcomm_tty_driver, dev->id, NULL); 275 dev->tty_dev = tty_register_device(rfcomm_tty_driver, dev->id, NULL);
276 276
277 if (IS_ERR(dev->tty_dev)) { 277 if (IS_ERR(dev->tty_dev)) {
278 err = PTR_ERR(dev->tty_dev);
278 list_del(&dev->list); 279 list_del(&dev->list);
279 kfree(dev); 280 kfree(dev);
280 return PTR_ERR(dev->tty_dev); 281 return err;
281 } 282 }
282 283
283 return dev->id; 284 return dev->id;