aboutsummaryrefslogtreecommitdiffstats
path: root/net/bluetooth
diff options
context:
space:
mode:
authorMarcel Holtmann <marcel@holtmann.org>2007-07-26 00:12:25 -0700
committerDavid S. Miller <davem@sunset.davemloft.net>2007-07-31 02:28:05 -0700
commit09c7d8293a2d1317d16ef4ddb9f6dd2553d0694e (patch)
treea459a511a60427dd75796be371b4d1b99214acec /net/bluetooth
parent566cfd8f0e049a0647f94714f913e2a975dc464f (diff)
downloadkernel_samsung_smdk4412-09c7d8293a2d1317d16ef4ddb9f6dd2553d0694e.zip
kernel_samsung_smdk4412-09c7d8293a2d1317d16ef4ddb9f6dd2553d0694e.tar.gz
kernel_samsung_smdk4412-09c7d8293a2d1317d16ef4ddb9f6dd2553d0694e.tar.bz2
[IRDA]: Fix rfcomm use-after-free
Adrian Bunk wrote: > Commit 8de0a15483b357d0f0b821330ec84d1660cadc4e added the following > use-after-free in net/bluetooth/rfcomm/tty.c: > > <-- snip --> > > ... > static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc *dlc) > { > ... > if (IS_ERR(dev->tty_dev)) { > list_del(&dev->list); > kfree(dev); > return PTR_ERR(dev->tty_dev); > } > ... > > <-- snip --> > > Spotted by the Coverity checker. really good catch. I fully overlooked that one. The attached patch should fix it. Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/bluetooth')
-rw-r--r--net/bluetooth/rfcomm/tty.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
index 23ba61a..22a8320 100644
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -267,7 +267,7 @@ static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc *dlc)
out:
write_unlock_bh(&rfcomm_dev_lock);
- if (err) {
+ if (err < 0) {
kfree(dev);
return err;
}
@@ -275,9 +275,10 @@ out:
dev->tty_dev = tty_register_device(rfcomm_tty_driver, dev->id, NULL);
if (IS_ERR(dev->tty_dev)) {
+ err = PTR_ERR(dev->tty_dev);
list_del(&dev->list);
kfree(dev);
- return PTR_ERR(dev->tty_dev);
+ return err;
}
return dev->id;