diff options
author | Colin Ian King <colin.king@canonical.com> | 2013-10-28 12:58:12 +0000 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2013-11-11 14:38:58 -0500 |
commit | 450991fd2f9d362562c69b2e70832b2ecb7624cb (patch) | |
tree | 6a476e9d713a987c4ec7af8182c82cb832e88cdd /drivers/net/wireless | |
parent | 01c85adfff5a8462aeea70796314c39dab1d9cc2 (diff) | |
download | linux-450991fd2f9d362562c69b2e70832b2ecb7624cb.tar.gz linux-450991fd2f9d362562c69b2e70832b2ecb7624cb.tar.bz2 linux-450991fd2f9d362562c69b2e70832b2ecb7624cb.zip |
rtlwifi: fix null dereference on efuse_word on kmalloc fail returns NULL
kmalloc on efuse_word can return null, leading to free'ing of
elements in efuse_word on the error exit path even though it has not
been allocated. Instead, don't free the elements of efuse_word if
kmalloc failed.
Also, kmalloc of any of the arrays in efuse_word[] can also fail,
leading to undefined contents in the remaining elements leading to
problems when free'ing these elements later on. So kzalloc efuse_word
to ensure the kfree on the remaining elements won't cause breakage.
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers/net/wireless')
-rw-r--r-- | drivers/net/wireless/rtlwifi/efuse.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/drivers/net/wireless/rtlwifi/efuse.c b/drivers/net/wireless/rtlwifi/efuse.c index ae13fb94b2e8..2ffc7298f686 100644 --- a/drivers/net/wireless/rtlwifi/efuse.c +++ b/drivers/net/wireless/rtlwifi/efuse.c @@ -262,9 +262,9 @@ void read_efuse(struct ieee80211_hw *hw, u16 _offset, u16 _size_byte, u8 *pbuf) sizeof(u8), GFP_ATOMIC); if (!efuse_tbl) return; - efuse_word = kmalloc(EFUSE_MAX_WORD_UNIT * sizeof(u16 *), GFP_ATOMIC); + efuse_word = kzalloc(EFUSE_MAX_WORD_UNIT * sizeof(u16 *), GFP_ATOMIC); if (!efuse_word) - goto done; + goto out; for (i = 0; i < EFUSE_MAX_WORD_UNIT; i++) { efuse_word[i] = kmalloc(efuse_max_section * sizeof(u16), GFP_ATOMIC); @@ -378,6 +378,7 @@ done: for (i = 0; i < EFUSE_MAX_WORD_UNIT; i++) kfree(efuse_word[i]); kfree(efuse_word); +out: kfree(efuse_tbl); } |