[IRDA]: Fix rfcomm use-after-free
Adrian Bunk wrote:
> Commit 8de0a15483
added the following
> use-after-free in net/bluetooth/rfcomm/tty.c:
>
> <-- snip -->
>
> ...
> static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc *dlc)
> {
> ...
> if (IS_ERR(dev->tty_dev)) {
> list_del(&dev->list);
> kfree(dev);
> return PTR_ERR(dev->tty_dev);
> }
> ...
>
> <-- snip -->
>
> Spotted by the Coverity checker.
really good catch. I fully overlooked that one. The attached patch
should fix it.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
566cfd8f0e
commit
09c7d8293a
@ -267,7 +267,7 @@ static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc *dlc)
|
||||
out:
|
||||
write_unlock_bh(&rfcomm_dev_lock);
|
||||
|
||||
if (err) {
|
||||
if (err < 0) {
|
||||
kfree(dev);
|
||||
return err;
|
||||
}
|
||||
@ -275,9 +275,10 @@ out:
|
||||
dev->tty_dev = tty_register_device(rfcomm_tty_driver, dev->id, NULL);
|
||||
|
||||
if (IS_ERR(dev->tty_dev)) {
|
||||
err = PTR_ERR(dev->tty_dev);
|
||||
list_del(&dev->list);
|
||||
kfree(dev);
|
||||
return PTR_ERR(dev->tty_dev);
|
||||
return err;
|
||||
}
|
||||
|
||||
return dev->id;
|
||||
|
Loading…
Reference in New Issue
Block a user