Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a74b2bff authored by Sean Young's avatar Sean Young Committed by Mauro Carvalho Chehab
Browse files

media: lirc: do not pass ERR_PTR to kfree 



If memdup_user() fails, txbuf will be an error pointer and passed
to kfree.

Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarSean Young <sean@mess.org>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
parent b996157d

drivers/media/rc/lirc_dev.c

+18 −17
Original line number Diff line number Diff line
@@ -231,7 +231,7 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf, 
{

	struct lirc_fh *fh = file->private_data;

	struct rc_dev *dev = fh->rc;

	unsigned int *txbuf = NULL;

	unsigned int *txbuf;

	struct ir_raw_event *raw = NULL;

	ssize_t ret;

	size_t count;
@@ -246,14 +246,14 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf, 


	if (!dev->registered) {

		ret = -ENODEV;

		goto out;

		goto out_unlock;

	}



	start = ktime_get();



	if (!dev->tx_ir) {

		ret = -EINVAL;

		goto out;

		goto out_unlock;

	}



	if (fh->send_mode == LIRC_MODE_SCANCODE) {
@@ -261,17 +261,17 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf, 


		if (n != sizeof(scan)) {

			ret = -EINVAL;

			goto out;

			goto out_unlock;

		}



		if (copy_from_user(&scan, buf, sizeof(scan))) {

			ret = -EFAULT;

			goto out;

			goto out_unlock;

		}



		if (scan.flags || scan.keycode || scan.timestamp) {

			ret = -EINVAL;

			goto out;

			goto out_unlock;

		}



		/*
@@ -283,26 +283,26 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf, 
		if (scan.scancode > U32_MAX ||

		    !rc_validate_scancode(scan.rc_proto, scan.scancode)) {

			ret = -EINVAL;

			goto out;

			goto out_unlock;

		}



		raw = kmalloc_array(LIRCBUF_SIZE, sizeof(*raw), GFP_KERNEL);

		if (!raw) {

			ret = -ENOMEM;

			goto out;

			goto out_unlock;

		}



		ret = ir_raw_encode_scancode(scan.rc_proto, scan.scancode,

					     raw, LIRCBUF_SIZE);

		if (ret < 0)

			goto out;

			goto out_kfree;



		count = ret;



		txbuf = kmalloc_array(count, sizeof(unsigned int), GFP_KERNEL);

		if (!txbuf) {

			ret = -ENOMEM;

			goto out;

			goto out_kfree;

		}



		for (i = 0; i < count; i++)
@@ -318,26 +318,26 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf, 
	} else {

		if (n < sizeof(unsigned int) || n % sizeof(unsigned int)) {

			ret = -EINVAL;

			goto out;

			goto out_unlock;

		}



		count = n / sizeof(unsigned int);

		if (count > LIRCBUF_SIZE || count % 2 == 0) {

			ret = -EINVAL;

			goto out;

			goto out_unlock;

		}



		txbuf = memdup_user(buf, n);

		if (IS_ERR(txbuf)) {

			ret = PTR_ERR(txbuf);

			goto out;

			goto out_unlock;

		}

	}



	for (i = 0; i < count; i++) {

		if (txbuf[i] > IR_MAX_DURATION / 1000 - duration || !txbuf[i]) {

			ret = -EINVAL;

			goto out;

			goto out_kfree;

		}



		duration += txbuf[i];
@@ -345,7 +345,7 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf, 


	ret = dev->tx_ir(dev, txbuf, count);

	if (ret < 0)

		goto out;

		goto out_kfree;



	if (fh->send_mode == LIRC_MODE_SCANCODE) {

		ret = n;
@@ -368,10 +368,11 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf, 
		schedule_timeout(usecs_to_jiffies(towait));

	}



out:

	mutex_unlock(&dev->lock);

out_kfree:

	kfree(txbuf);

	kfree(raw);

out_unlock:

	mutex_unlock(&dev->lock);

	return ret;

}