diff mbox series

wifi: cfg80211: fix memory leak in query_regdb_file()

Message ID CAJ65rDzroYUFnPuzH54dFB1fAYPynDrTZYy-fF72E=Y_bFER-g@mail.gmail.com (mailing list archive)
State Superseded
Delegated to: Johannes Berg
Headers show
Series wifi: cfg80211: fix memory leak in query_regdb_file() | expand

Commit Message

Arend Van Spriel Oct. 19, 2022, 11:44 a.m. UTC 
In the function query_regdb_file() the alpha2 parameter is duplicated
using kmemdup() and subsequently freed in regdb_fw_cb(). However,
request_firmware_nowait() can fail without calling regdb_fw_cb() and
thus leak memory.

Fixes: 007f6c5e6eb4 ("cfg80211: support loading regulatory database as
firmware file")
Signed-off-by: Arend van Spriel <aspriel@gmail.com>
---
 net/wireless/reg.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

 	if (regdb)
@@ -1089,9 +1091,13 @@ static int query_regdb_file(const char *alpha2)
 	if (!alpha2)
 		return -ENOMEM;

-	return request_firmware_nowait(THIS_MODULE, true, "regulatory.db",
-				       &reg_pdev->dev, GFP_KERNEL,
-				       (void *)alpha2, regdb_fw_cb);
+	err = request_firmware_nowait(THIS_MODULE, true, "regulatory.db",
+				      &reg_pdev->dev, GFP_KERNEL,
+				      (void *)alpha2, regdb_fw_cb);
+	if (err)
+		kfree(alpha2);
+
+	return err;
 }

 int reg_reload_regdb(void)

Comments

Kalle Valo Oct. 24, 2022, 9:49 a.m. UTC | #1 
Arend van Spriel <aspriel@gmail.com> writes:

> In the function query_regdb_file() the alpha2 parameter is duplicated
> using kmemdup() and subsequently freed in regdb_fw_cb(). However,
> request_firmware_nowait() can fail without calling regdb_fw_cb() and
> thus leak memory.
>
> Fixes: 007f6c5e6eb4 ("cfg80211: support loading regulatory database as
> firmware file")

The fixes tag should be in one line.
Arend van Spriel Oct. 25, 2022, 8:54 a.m. UTC | #2 
On 10/24/2022 11:49 AM, Kalle Valo wrote:
> Arend van Spriel <aspriel@gmail.com> writes:
> 
>> In the function query_regdb_file() the alpha2 parameter is duplicated
>> using kmemdup() and subsequently freed in regdb_fw_cb(). However,
>> request_firmware_nowait() can fail without calling regdb_fw_cb() and
>> thus leak memory.
>>
>> Fixes: 007f6c5e6eb4 ("cfg80211: support loading regulatory database as
>> firmware file")
> 
> The fixes tag should be in one line.

Correct,which is why I sent a V2 ;-)

Regards,
Arend
diff mbox series

Patch

diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index ec25924a1c26..f629c2e15fea 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -1080,6 +1080,8 @@  static void regdb_fw_cb(const struct firmware
*fw, void *context)

 static int query_regdb_file(const char *alpha2)
 {
+	int err;
+
 	ASSERT_RTNL();