[PATCH] mwifiex: avoid freeing improper pointer in mwifiex_set_wowlan_mef_entry

[PATCH] mwifiex: avoid freeing improper pointer in mwifiex_set_wowlan_mef_entry

[John W. Linville]

mwifiex_set_wowlan_mef_entry attempts to free a passed-in pointer in
case of an error.  The only caller (mwifiex_set_mef_filter) passes that
pointer as an offset into allocated memory, so any attempt to free that
will not be the actual allocated pointer.

Address this by changing mwifiex_set_wowlan_mef_entry to not do any
free, and to cause mwifiex_set_mef_filter to do the appropriate free if
the call to mwifiex_set_wowlan_mef_entry fails.

Coverity CID #1295879

Signed-off-by: John W. Linville <linville@tuxdriver.com>
---
 drivers/net/wireless/mwifiex/cfg80211.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/mwifiex/cfg80211.c b/drivers/net/wireless/mwifiex/cfg80211.c
index b15e4c7acbec..3f6762dfc947 100644
--- a/drivers/net/wireless/mwifiex/cfg80211.c
+++ b/drivers/net/wireless/mwifiex/cfg80211.c
@@ -2954,7 +2954,6 @@ static int mwifiex_set_wowlan_mef_entry(struct mwifiex_private *priv,
 					MWIFIEX_MEF_MAX_BYTESEQ)) {
 			mwifiex_dbg(priv->adapter, ERROR,
 				    "Pattern not supported\n");
-			kfree(mef_entry);
 			return -EOPNOTSUPP;
 		}
 
@@ -3036,9 +3035,12 @@ static int mwifiex_set_mef_filter(struct mwifiex_private *priv,
 
 	mwifiex_set_auto_arp_mef_entry(priv, &mef_entry[0]);
 
-	if (wowlan->n_patterns || wowlan->magic_pkt)
+	if (wowlan->n_patterns || wowlan->magic_pkt) {
 		ret = mwifiex_set_wowlan_mef_entry(priv, &mef_cfg,
 						   &mef_entry[1], wowlan);
+		if (ret)
+			goto err;
+	}
 
 	if (!mef_cfg.criteria)
 		mef_cfg.criteria = MWIFIEX_CRITERIA_BROADCAST |
@@ -3048,6 +3050,8 @@ static int mwifiex_set_mef_filter(struct mwifiex_private *priv,
 	ret = mwifiex_send_cmd(priv, HostCmd_CMD_MEF_CFG,
 			HostCmd_ACT_GEN_SET, 0,
 			&mef_cfg, true);
+
+err:
 	kfree(mef_entry);
 	return ret;
 }
-- 
2.1.0

RE: [PATCH] mwifiex: avoid freeing improper pointer in mwifiex_set_wowlan_mef_entry

[Amitkumar Karwar]

Hi John,

> From: John W. Linville [mailto:linville@tuxdriver.com]
> Sent: Wednesday, June 24, 2015 12:16 AM
> To: linux-wireless@vger.kernel.org
> Cc: Amitkumar Karwar; Avinash Patil; Kalle Valo; John W. Linville
> Subject: [PATCH] mwifiex: avoid freeing improper pointer in
> mwifiex_set_wowlan_mef_entry
> 
> mwifiex_set_wowlan_mef_entry attempts to free a passed-in pointer in
> case of an error.  The only caller (mwifiex_set_mef_filter) passes that
> pointer as an offset into allocated memory, so any attempt to free that
> will not be the actual allocated pointer.
> 
> Address this by changing mwifiex_set_wowlan_mef_entry to not do any
> free, and to cause mwifiex_set_mef_filter to do the appropriate free if
> the call to mwifiex_set_wowlan_mef_entry fails.
> 
> Coverity CID #1295879
> 
> Signed-off-by: John W. Linville <linville@tuxdriver.com>

Acked-by: Amitkumar Karwar <akarwar@marvell.com>

Thanks,
Amitkumar

Re: mwifiex: avoid freeing improper pointer inmwifiex_set_wowlan_mef_entry

[Kalle Valo]

> mwifiex_set_wowlan_mef_entry attempts to free a passed-in pointer in
> case of an error.  The only caller (mwifiex_set_mef_filter) passes that
> pointer as an offset into allocated memory, so any attempt to free that
> will not be the actual allocated pointer.
> 
> Address this by changing mwifiex_set_wowlan_mef_entry to not do any
> free, and to cause mwifiex_set_mef_filter to do the appropriate free if
> the call to mwifiex_set_wowlan_mef_entry fails.
> 
> Coverity CID #1295879
> 
> Signed-off-by: John W. Linville <linville@tuxdriver.com>
> Acked-by: Amitkumar Karwar <akarwar@marvell.com>

Thanks, applied to wireless-drivers-next.git.

Kalle Valo