leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Bluetooth: Fix memory leak in read_adv_mon_features()

Browse Source 
read_adv_mon_features() is leaking memory. Free `rp` before returning.

Fixes: e5e1e7fd47 ("Bluetooth: Add handler of MGMT_OP_READ_ADV_MONITOR_FEATURES")
Reported-and-tested-by: syzbot+f7f6e564f4202d8601c6@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=f7f6e564f4202d8601c6
Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
This commit is contained in:
Peilin Ye
2020-09-09 03:25:51 -04:00
committed by Marcel Holtmann
parent 2041a3f500
commit cafd472a10
1 changed files with 8 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
net/bluetooth/mgmt.c
View File

@@ -4157,7 +4157,7 @@ static int read_adv_mon_features(struct sock *sk, struct hci_dev *hdev,
{ {
struct adv_monitor *monitor = NULL; struct adv_monitor *monitor = NULL;
struct mgmt_rp_read_adv_monitor_features *rp = NULL; struct mgmt_rp_read_adv_monitor_features *rp = NULL;
int handle; int handle, err;
size_t rp_size = 0; size_t rp_size = 0;
__u32 supported = 0; __u32 supported = 0;
__u16 num_handles = 0; __u16 num_handles = 0;
@@ -4192,9 +4192,13 @@ static int read_adv_mon_features(struct sock *sk, struct hci_dev *hdev,
if (num_handles) if (num_handles)
memcpy(&rp->handles, &handles, (num_handles * sizeof(u16))); memcpy(&rp->handles, &handles, (num_handles * sizeof(u16)));
return mgmt_cmd_complete(sk, hdev->id, err = mgmt_cmd_complete(sk, hdev->id,
MGMT_OP_READ_ADV_MONITOR_FEATURES, MGMT_OP_READ_ADV_MONITOR_FEATURES,
MGMT_STATUS_SUCCESS, rp, rp_size); MGMT_STATUS_SUCCESS, rp, rp_size);
kfree(rp);
return err;
} }
static int add_adv_patterns_monitor(struct sock *sk, struct hci_dev *hdev, static int add_adv_patterns_monitor(struct sock *sk, struct hci_dev *hdev,