diff options
author | Marcel Holtmann <marcel@holtmann.org> | 2007-07-26 00:12:25 -0700 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2007-07-31 02:28:05 -0700 |
commit | 09c7d8293a2d1317d16ef4ddb9f6dd2553d0694e (patch) | |
tree | a459a511a60427dd75796be371b4d1b99214acec /net/bluetooth | |
parent | 566cfd8f0e049a0647f94714f913e2a975dc464f (diff) | |
download | kernel_samsung_espresso10-09c7d8293a2d1317d16ef4ddb9f6dd2553d0694e.zip kernel_samsung_espresso10-09c7d8293a2d1317d16ef4ddb9f6dd2553d0694e.tar.gz kernel_samsung_espresso10-09c7d8293a2d1317d16ef4ddb9f6dd2553d0694e.tar.bz2 |
[IRDA]: Fix rfcomm use-after-free
Adrian Bunk wrote:
> Commit 8de0a15483b357d0f0b821330ec84d1660cadc4e added the following
> use-after-free in net/bluetooth/rfcomm/tty.c:
>
> <-- snip -->
>
> ...
> static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc *dlc)
> {
> ...
> if (IS_ERR(dev->tty_dev)) {
> list_del(&dev->list);
> kfree(dev);
> return PTR_ERR(dev->tty_dev);
> }
> ...
>
> <-- snip -->
>
> Spotted by the Coverity checker.
really good catch. I fully overlooked that one. The attached patch
should fix it.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/bluetooth')
-rw-r--r-- | net/bluetooth/rfcomm/tty.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c index 23ba61a..22a8320 100644 --- a/net/bluetooth/rfcomm/tty.c +++ b/net/bluetooth/rfcomm/tty.c @@ -267,7 +267,7 @@ static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc *dlc) out: write_unlock_bh(&rfcomm_dev_lock); - if (err) { + if (err < 0) { kfree(dev); return err; } @@ -275,9 +275,10 @@ out: dev->tty_dev = tty_register_device(rfcomm_tty_driver, dev->id, NULL); if (IS_ERR(dev->tty_dev)) { + err = PTR_ERR(dev->tty_dev); list_del(&dev->list); kfree(dev); - return PTR_ERR(dev->tty_dev); + return err; } return dev->id; |