Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 52da2449 authored by Wei Yongjun's avatar Wei Yongjun Committed by Samuel Ortiz
Browse files

NFC: Fix possible LLCP memory leak 

nfc_llcp_build_tlv() malloced the memory and should be free in
nfc_llcp_build_gb() after used, and the same in the error handling
case, otherwise it will cause memory leak.

spatch with a semantic match is used to found this problem.
(http://coccinelle.lip6.fr/

)

Signed-off-by: default avatarWei Yongjun <yongjun_wei@trendmicro.com.cn>
Signed-off-by: default avatarSamuel Ortiz <sameo@linux.intel.com>
parent 33e59713

net/nfc/llcp/llcp.c

+9 −5
Original line number Diff line number Diff line
@@ -426,6 +426,7 @@ static int nfc_llcp_build_gb(struct nfc_llcp_local *local) 
	u8 *miux_tlv, miux_length;

	__be16 miux;

	u8 gb_len = 0;

	int ret = 0;



	version = LLCP_VERSION_11;

	version_tlv = nfc_llcp_build_tlv(LLCP_TLV_VERSION, &version,
@@ -450,8 +451,8 @@ static int nfc_llcp_build_gb(struct nfc_llcp_local *local) 
	gb_len += ARRAY_SIZE(llcp_magic);



	if (gb_len > NFC_MAX_GT_LEN) {

		kfree(version_tlv);

		return -EINVAL;

		ret = -EINVAL;

		goto out;

	}



	gb_cur = local->gb;
@@ -471,12 +472,15 @@ static int nfc_llcp_build_gb(struct nfc_llcp_local *local) 
	memcpy(gb_cur, miux_tlv, miux_length);

	gb_cur += miux_length;



	local->gb_len = gb_len;



out:

	kfree(version_tlv);

	kfree(lto_tlv);

	kfree(wks_tlv);

	kfree(miux_tlv);



	local->gb_len = gb_len;



	return 0;

	return ret;

}



u8 *nfc_llcp_general_bytes(struct nfc_dev *dev, size_t *general_bytes_len)