提交 8ebafde0 编写于 作者: D Dan Carpenter 提交者: John W. Linville

NFC: use after free on error

We returned a freed variable on some error paths when the intent was
to return a NULL.  Part of the reason this was missed was that the
code was confusing because it had too many gotos so I removed them
and simplified the flow a bit.
Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
Acked-by: NLauro Ramos Venancio <lauro.venancio@openbossa.org>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
上级 84b1bec6
...@@ -499,19 +499,19 @@ struct nci_dev *nci_allocate_device(struct nci_ops *ops, ...@@ -499,19 +499,19 @@ struct nci_dev *nci_allocate_device(struct nci_ops *ops,
int tx_headroom, int tx_headroom,
int tx_tailroom) int tx_tailroom)
{ {
struct nci_dev *ndev = NULL; struct nci_dev *ndev;
nfc_dbg("entry, supported_protocols 0x%x", supported_protocols); nfc_dbg("entry, supported_protocols 0x%x", supported_protocols);
if (!ops->open || !ops->close || !ops->send) if (!ops->open || !ops->close || !ops->send)
goto exit; return NULL;
if (!supported_protocols) if (!supported_protocols)
goto exit; return NULL;
ndev = kzalloc(sizeof(struct nci_dev), GFP_KERNEL); ndev = kzalloc(sizeof(struct nci_dev), GFP_KERNEL);
if (!ndev) if (!ndev)
goto exit; return NULL;
ndev->ops = ops; ndev->ops = ops;
ndev->tx_headroom = tx_headroom; ndev->tx_headroom = tx_headroom;
...@@ -526,13 +526,11 @@ struct nci_dev *nci_allocate_device(struct nci_ops *ops, ...@@ -526,13 +526,11 @@ struct nci_dev *nci_allocate_device(struct nci_ops *ops,
nfc_set_drvdata(ndev->nfc_dev, ndev); nfc_set_drvdata(ndev->nfc_dev, ndev);
goto exit; return ndev;
free_exit: free_exit:
kfree(ndev); kfree(ndev);
return NULL;
exit:
return ndev;
} }
EXPORT_SYMBOL(nci_allocate_device); EXPORT_SYMBOL(nci_allocate_device);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册