Commit 770f750b authored Oct 29, 2012 by Szymon Janc Committed by Samuel Ortiz Nov 20, 2012

NFC: pn533: Fix use after free



cmd was freed in pn533_dep_link_up regardless of
pn533_send_cmd_frame_async return code. Cmd is passed as argument to
pn533_in_dep_link_up_complete callback and should be freed there.

Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>

parent 60ad07ab

drivers/nfc/pn533.c

+2 −6

Original line number	Diff line number	Diff line
		@@ -1820,11 +1820,7 @@ static int pn533_dep_link_up(struct nfc_dev nfc_dev, struct nfc_target target,
		rc = pn533_send_cmd_frame_async(dev, dev->out_frame, dev->in_frame,
		dev->in_maxlen, pn533_in_dep_link_up_complete,
		cmd, GFP_KERNEL);
		if (rc)
		goto out;


		out:
		if (rc < 0)
		kfree(cmd);

		return rc;