From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
To: Christian Engelmayer <cengelma@gmx.at>
Cc: devel@driverdev.osuosl.org, Larry.Finger@lwfinger.net,
florian.c.schilhabel@googlemail.com, gregkh@linuxfoundation.org,
linuxgeek@gmail.com, paul.gortmaker@windriver.com,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] staging: rtl8712: fix potential leak in r871x_wx_set_enc_ext()
Date: Wed, 07 May 2014 09:55:47 +0300 [thread overview]
Message-ID: <1399445747.2677.4.camel@smile.fi.intel.com> (raw)
In-Reply-To: <20140501114500.756b95d0@spike>
On Thu, 2014-05-01 at 11:45 +0200, Christian Engelmayer wrote:
> Fix a potential leak in the error path of r871x_wx_set_enc_ext(). In case the
> requested algorithm is not supported by the driver, the function returns
> without freeing the already allocated 'param' struct. Move the input
> verification to the beginning of the function so that the direct return is
> safe. Detected by Coverity - CID 144373.
>
One comment below.
> Signed-off-by: Christian Engelmayer <cengelma@gmx.at>
> ---
> Compile tested and applies against branch staging-next of tree
> git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
> ---
> drivers/staging/rtl8712/rtl871x_ioctl_linux.c | 16 +++++++++-------
> 1 file changed, 9 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
> index 23d539d..1eca992 100644
> --- a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
> +++ b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
> @@ -1801,13 +1801,6 @@ static int r871x_wx_set_enc_ext(struct net_device *dev,
> u32 param_len;
> int ret = 0;
>
> - param_len = sizeof(struct ieee_param) + pext->key_len;
> - param = (struct ieee_param *)_malloc(param_len);
> - if (param == NULL)
> - return -ENOMEM;
> - memset(param, 0, param_len);
> - param->cmd = IEEE_CMD_SET_ENCRYPTION;
> - memset(param->sta_addr, 0xff, ETH_ALEN);
> switch (pext->alg) {
> case IW_ENCODE_ALG_NONE:
> alg_name = "none";
> @@ -1824,6 +1817,15 @@ static int r871x_wx_set_enc_ext(struct net_device *dev,
> default:
> return -EINVAL;
> }
> +
> + param_len = sizeof(struct ieee_param) + pext->key_len;
> + param = (struct ieee_param *)_malloc(param_len);
While you are here could you substitute _malloc by kzalloc and remove
explicit casting and memset?
> + if (param == NULL)
> + return -ENOMEM;
> + memset(param, 0, param_len);
> + param->cmd = IEEE_CMD_SET_ENCRYPTION;
> + memset(param->sta_addr, 0xff, ETH_ALEN);
> +
> strncpy((char *)param->u.crypt.alg, alg_name, IEEE_CRYPT_ALG_NAME_LEN);
> if (pext->ext_flags & IW_ENCODE_EXT_GROUP_KEY)
> param->u.crypt.set_tx = 0;
--
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Intel Finland Oy
next prev parent reply other threads:[~2014-05-07 6:55 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-01 9:45 [PATCH] staging: rtl8712: fix potential leak in r871x_wx_set_enc_ext() Christian Engelmayer
2014-05-07 6:55 ` Andy Shevchenko [this message]
2014-05-07 8:55 ` Dan Carpenter
2014-05-13 9:01 ` Andy Shevchenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1399445747.2677.4.camel@smile.fi.intel.com \
--to=andriy.shevchenko@linux.intel.com \
--cc=Larry.Finger@lwfinger.net \
--cc=cengelma@gmx.at \
--cc=devel@driverdev.osuosl.org \
--cc=florian.c.schilhabel@googlemail.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxgeek@gmail.com \
--cc=paul.gortmaker@windriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox