Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8ebafde0 authored by Dan Carpenter's avatar Dan Carpenter Committed by John W. Linville
Browse files

NFC: use after free on error 



We returned a freed variable on some error paths when the intent was
to return a NULL.  Part of the reason this was missed was that the
code was confusing because it had too many gotos so I removed them
and simplified the flow a bit.

Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Acked-by: default avatarLauro Ramos Venancio <lauro.venancio@openbossa.org>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent 84b1bec6

net/nfc/nci/core.c

+6 −8
Original line number Original line Diff line number Diff line
@@ -499,19 +499,19 @@ struct nci_dev *nci_allocate_device(struct nci_ops *ops, 
					int tx_headroom,

					int tx_headroom,

					int tx_tailroom)

					int tx_tailroom)

{

{

	struct nci_dev *ndev = NULL;

	struct nci_dev *ndev;





	nfc_dbg("entry, supported_protocols 0x%x", supported_protocols);

	nfc_dbg("entry, supported_protocols 0x%x", supported_protocols);





	if (!ops->open || !ops->close || !ops->send)

	if (!ops->open || !ops->close || !ops->send)

		goto exit;

		return NULL;





	if (!supported_protocols)

	if (!supported_protocols)

		goto exit;

		return NULL;





	ndev = kzalloc(sizeof(struct nci_dev), GFP_KERNEL);

	ndev = kzalloc(sizeof(struct nci_dev), GFP_KERNEL);

	if (!ndev)

	if (!ndev)

		goto exit;

		return NULL;





	ndev->ops = ops;

	ndev->ops = ops;

	ndev->tx_headroom = tx_headroom;

	ndev->tx_headroom = tx_headroom;
@@ -526,13 +526,11 @@ struct nci_dev *nci_allocate_device(struct nci_ops *ops, 




	nfc_set_drvdata(ndev->nfc_dev, ndev);

	nfc_set_drvdata(ndev->nfc_dev, ndev);





	goto exit;

	return ndev;





free_exit:

free_exit:

	kfree(ndev);

	kfree(ndev);



	return NULL;

exit:

	return ndev;

}

}

EXPORT_SYMBOL(nci_allocate_device);

EXPORT_SYMBOL(nci_allocate_device);