NFC: Fix possible LLCP memory leak

nfc_llcp_build_tlv() malloced the memory and should be free in nfc_llcp_build_gb() after used, and the same in the error handling case, otherwise it will cause memory leak. spatch with a semantic match is used to found this problem. (http://coccinelle.lip6.fr/) Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2012-09-02 21:21:46 +08:00 · 2012-09-02 21:21:46 +08:00 · 52da2449e1
parent 33e5971358
commit 52da2449e1
1 changed files with 10 additions and 6 deletions
--- a/net/nfc/llcp/llcp.c
+++ b/net/nfc/llcp/llcp.c
@ -426,6 +426,7 @@ static int nfc_llcp_build_gb(struct nfc_llcp_local *local)
 	u8 *miux_tlv, miux_length;
 	__be16 miux;
 	u8 gb_len = 0;
+	int ret = 0;

 	version = LLCP_VERSION_11;
 	version_tlv = nfc_llcp_build_tlv(LLCP_TLV_VERSION, &version,
@ -450,8 +451,8 @@ static int nfc_llcp_build_gb(struct nfc_llcp_local *local)
 	gb_len += ARRAY_SIZE(llcp_magic);

 	if (gb_len > NFC_MAX_GT_LEN) {
-		kfree(version_tlv);
-		return -EINVAL;
+		ret = -EINVAL;
+		goto out;
 	}

 	gb_cur = local->gb;
@ -471,12 +472,15 @@ static int nfc_llcp_build_gb(struct nfc_llcp_local *local)
 	memcpy(gb_cur, miux_tlv, miux_length);
 	gb_cur += miux_length;

-	kfree(version_tlv);
-	kfree(lto_tlv);
-
 	local->gb_len = gb_len;

-	return 0;
+out:
+	kfree(version_tlv);
+	kfree(lto_tlv);
+	kfree(wks_tlv);
+	kfree(miux_tlv);
+
+	return ret;
 }

 u8 *nfc_llcp_general_bytes(struct nfc_dev *dev, size_t *general_bytes_len)