NFC: use after free on error
We returned a freed variable on some error paths when the intent was to return a NULL. Part of the reason this was missed was that the code was confusing because it had too many gotos so I removed them and simplified the flow a bit. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Lauro Ramos Venancio <lauro.venancio@openbossa.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
This commit is contained in:
parent
84b1bec6d7
commit
8ebafde00e
|
@ -499,19 +499,19 @@ struct nci_dev *nci_allocate_device(struct nci_ops *ops,
|
||||||
int tx_headroom,
|
int tx_headroom,
|
||||||
int tx_tailroom)
|
int tx_tailroom)
|
||||||
{
|
{
|
||||||
struct nci_dev *ndev = NULL;
|
struct nci_dev *ndev;
|
||||||
|
|
||||||
nfc_dbg("entry, supported_protocols 0x%x", supported_protocols);
|
nfc_dbg("entry, supported_protocols 0x%x", supported_protocols);
|
||||||
|
|
||||||
if (!ops->open || !ops->close || !ops->send)
|
if (!ops->open || !ops->close || !ops->send)
|
||||||
goto exit;
|
return NULL;
|
||||||
|
|
||||||
if (!supported_protocols)
|
if (!supported_protocols)
|
||||||
goto exit;
|
return NULL;
|
||||||
|
|
||||||
ndev = kzalloc(sizeof(struct nci_dev), GFP_KERNEL);
|
ndev = kzalloc(sizeof(struct nci_dev), GFP_KERNEL);
|
||||||
if (!ndev)
|
if (!ndev)
|
||||||
goto exit;
|
return NULL;
|
||||||
|
|
||||||
ndev->ops = ops;
|
ndev->ops = ops;
|
||||||
ndev->tx_headroom = tx_headroom;
|
ndev->tx_headroom = tx_headroom;
|
||||||
|
@ -526,13 +526,11 @@ struct nci_dev *nci_allocate_device(struct nci_ops *ops,
|
||||||
|
|
||||||
nfc_set_drvdata(ndev->nfc_dev, ndev);
|
nfc_set_drvdata(ndev->nfc_dev, ndev);
|
||||||
|
|
||||||
goto exit;
|
return ndev;
|
||||||
|
|
||||||
free_exit:
|
free_exit:
|
||||||
kfree(ndev);
|
kfree(ndev);
|
||||||
|
return NULL;
|
||||||
exit:
|
|
||||||
return ndev;
|
|
||||||
}
|
}
|
||||||
EXPORT_SYMBOL(nci_allocate_device);
|
EXPORT_SYMBOL(nci_allocate_device);
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue