diff options
author | Oliver Neukum <oliver@neukum.org> | 2007-09-17 14:15:53 -0400 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2007-10-12 17:55:26 -0400 |
commit | ed6590a861a16276db34ee626375fa79f3369ac3 (patch) | |
tree | b8f20b07045e42ba77eea677ac7314a6e8b0d62c /drivers/usb/serial | |
parent | 0e66fb3492442faa17fc7f27a3eba35b3c811e38 (diff) |
USB: fix double frees in error code paths of ipaq driver
the error code paths can be enter with buffers to freed buffers.
Serial core would do a kfree() on memory already freed.
Signed-off-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers/usb/serial')
-rw-r--r-- | drivers/usb/serial/ipaq.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/usb/serial/ipaq.c b/drivers/usb/serial/ipaq.c index 6a3a704b5849..c1a6484f6524 100644 --- a/drivers/usb/serial/ipaq.c +++ b/drivers/usb/serial/ipaq.c | |||
@@ -646,11 +646,13 @@ static int ipaq_open(struct usb_serial_port *port, struct file *filp) | |||
646 | kfree(port->bulk_out_buffer); | 646 | kfree(port->bulk_out_buffer); |
647 | port->bulk_in_buffer = kmalloc(URBDATA_SIZE, GFP_KERNEL); | 647 | port->bulk_in_buffer = kmalloc(URBDATA_SIZE, GFP_KERNEL); |
648 | if (port->bulk_in_buffer == NULL) { | 648 | if (port->bulk_in_buffer == NULL) { |
649 | port->bulk_out_buffer = NULL; /* prevent double free */ | ||
649 | goto enomem; | 650 | goto enomem; |
650 | } | 651 | } |
651 | port->bulk_out_buffer = kmalloc(URBDATA_SIZE, GFP_KERNEL); | 652 | port->bulk_out_buffer = kmalloc(URBDATA_SIZE, GFP_KERNEL); |
652 | if (port->bulk_out_buffer == NULL) { | 653 | if (port->bulk_out_buffer == NULL) { |
653 | kfree(port->bulk_in_buffer); | 654 | kfree(port->bulk_in_buffer); |
655 | port->bulk_in_buffer = NULL; | ||
654 | goto enomem; | 656 | goto enomem; |
655 | } | 657 | } |
656 | port->read_urb->transfer_buffer = port->bulk_in_buffer; | 658 | port->read_urb->transfer_buffer = port->bulk_in_buffer; |