NFC: use after free on error

We returned a freed variable on some error paths when the intent was to return a NULL. Part of the reason this was missed was that the code was confusing because it had too many gotos so I removed them and simplified the flow a bit. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Lauro Ramos Venancio <lauro.venancio@openbossa.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
author: Dan Carpenter <dan.carpenter@oracle.com> 2011-09-23 02:14:35 -0400
committer: John W. Linville <linville@tuxdriver.com> 2011-09-27 14:34:10 -0400
commit: 8ebafde00ed0c682fed8c34ac5ba90160ea0bb30 (patch)
tree: cc14065f04168bf10f342b29767d6cfa44e16f9d /net/nfc
parent: 84b1bec6d716fc8c289e2530cab109a6e097455b (diff)
1 files changed, 6 insertions, 8 deletions
diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
index 1e6b20f2bc99..4047e29acb3b 100644
--- a/net/nfc/nci/core.c
+++ b/net/nfc/nci/core.c
@@ -499,19 +499,19 @@ struct nci_dev *nci_allocate_device(struct nci_ops *ops,
                                        int tx_headroom,
                                        int tx_tailroom)
 {
-        struct nci_dev *ndev = NULL;
+        struct nci_dev *ndev;
        nfc_dbg("entry, supported_protocols 0x%x", supported_protocols);
        if (!ops->open || !ops->close || !ops->send)
-                goto exit;
+                return NULL;
        if (!supported_protocols)
-                goto exit;
+                return NULL;
        ndev = kzalloc(sizeof(struct nci_dev), GFP_KERNEL);
        if (!ndev)
-                goto exit;
+                return NULL;
        ndev->ops = ops;
        ndev->tx_headroom = tx_headroom;
@@ -526,13 +526,11 @@ struct nci_dev *nci_allocate_device(struct nci_ops *ops,
        nfc_set_drvdata(ndev->nfc_dev, ndev);
-        goto exit;
+        return ndev;
 free_exit:
        kfree(ndev);
+        return NULL;
-exit:
-        return ndev;
 }
 EXPORT_SYMBOL(nci_allocate_device);
author	Dan Carpenter <dan.carpenter@oracle.com>	2011-09-23 02:14:35 -0400
committer	John W. Linville <linville@tuxdriver.com>	2011-09-27 14:34:10 -0400
commit	8ebafde00ed0c682fed8c34ac5ba90160ea0bb30 (patch)
tree	cc14065f04168bf10f342b29767d6cfa44e16f9d /net/nfc
parent	84b1bec6d716fc8c289e2530cab109a6e097455b (diff)

diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c index 1e6b20f2bc99..4047e29acb3b 100644 --- a/net/nfc/nci/core.c +++ b/net/nfc/nci/core.c
@@ -499,19 +499,19 @@ struct nci_dev nci_allocate_device(struct nci_ops ops,
499	int tx_headroom,	499	int tx_headroom,
500	int tx_tailroom)	500	int tx_tailroom)
501	{	501	{
502	struct nci_dev *ndev = NULL;	502	struct nci_dev *ndev;
503		503
504	nfc_dbg("entry, supported_protocols 0x%x", supported_protocols);	504	nfc_dbg("entry, supported_protocols 0x%x", supported_protocols);
505		505
506	if (!ops->open \|\| !ops->close \|\| !ops->send)	506	if (!ops->open \|\| !ops->close \|\| !ops->send)
507	goto exit;	507	return NULL;
508		508
509	if (!supported_protocols)	509	if (!supported_protocols)
510	goto exit;	510	return NULL;
511		511
512	ndev = kzalloc(sizeof(struct nci_dev), GFP_KERNEL);	512	ndev = kzalloc(sizeof(struct nci_dev), GFP_KERNEL);
513	if (!ndev)	513	if (!ndev)
514	goto exit;	514	return NULL;
515		515
516	ndev->ops = ops;	516	ndev->ops = ops;
517	ndev->tx_headroom = tx_headroom;	517	ndev->tx_headroom = tx_headroom;
@@ -526,13 +526,11 @@ struct nci_dev nci_allocate_device(struct nci_ops ops,
526		526
527	nfc_set_drvdata(ndev->nfc_dev, ndev);	527	nfc_set_drvdata(ndev->nfc_dev, ndev);
528		528
529	goto exit;	529	return ndev;
530		530
531	free_exit:	531	free_exit:
532	kfree(ndev);	532	kfree(ndev);
533		533	return NULL;
534	exit:
535	return ndev;
536	}	534	}
537	EXPORT_SYMBOL(nci_allocate_device);	535	EXPORT_SYMBOL(nci_allocate_device);
538		536