From patchwork Thu Apr 10 18:31:46 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christian Engelmayer X-Patchwork-Id: 3964101 Return-Path: X-Original-To: patchwork-linux-wireless@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 81730BFF02 for ; Thu, 10 Apr 2014 18:32:54 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id E43B52064D for ; Thu, 10 Apr 2014 18:32:53 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 458A62038C for ; Thu, 10 Apr 2014 18:32:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758960AbaDJScS (ORCPT ); Thu, 10 Apr 2014 14:32:18 -0400 Received: from mout.gmx.net ([212.227.15.18]:49939 "EHLO mout.gmx.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1758897AbaDJScQ (ORCPT ); Thu, 10 Apr 2014 14:32:16 -0400 Received: from spike ([81.217.122.98]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0Lbdl5-1XI4aK3dwR-00lEnl; Thu, 10 Apr 2014 20:31:52 +0200 Date: Thu, 10 Apr 2014 20:31:46 +0200 From: Christian Engelmayer To: linville@tuxdriver.com, fariyaf@gmail.com Cc: dan.carpenter@oracle.com, joe@perches.com, linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH resend] rsi: Fix a potential memory leak in rsi_set_channel() Message-ID: <20140410203146.767149e7@spike> X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.20; x86_64-pc-linux-gnu) Mime-Version: 1.0 X-Provags-ID: V03:K0:Hooi4PtHQGlk6WhWVEtVy2KskjJaJKh6J1nXGheWP8WTKbon1A2 b/qxIzC9TIi63fcX5H5KhdA+VuzDSMDATjk+acJyo3SuldlGSh/GmnQe2RcMPMobXFCLPfy uNBdwU97HKu+Ypff8S52EqrHUGztP4B01Na9uPj3qMl4LxLXoomYchjH88UrDlrWGCwe8sb 1gRnmj4VrTAE0mCVg0fEQ== Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Spam-Status: No, score=-7.5 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_HI,RP_MATCHES_RCVD,T_TVD_MIME_EPI,UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Fix a potential memory leak in function rsi_set_channel() that is used to program channel changes. The channel check block for the frequency bands directly exits the function in case of an error, thus leaving an already allocated skb unreferenced. Move the checks above allocating the skb. Detected by Coverity: CID 1195576. Signed-off-by: Christian Engelmayer --- Applies against git.kernel.org/pub/scm/linux/kernel/git/linville/wireless.git Compile tested. --- drivers/net/wireless/rsi/rsi_91x_mgmt.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/drivers/net/wireless/rsi/rsi_91x_mgmt.c b/drivers/net/wireless/rsi/rsi_91x_mgmt.c index 2361a68..be5b1fd 100644 --- a/drivers/net/wireless/rsi/rsi_91x_mgmt.c +++ b/drivers/net/wireless/rsi/rsi_91x_mgmt.c @@ -841,16 +841,6 @@ int rsi_set_channel(struct rsi_common *common, u16 channel) rsi_dbg(MGMT_TX_ZONE, "%s: Sending scan req frame\n", __func__); - skb = dev_alloc_skb(FRAME_DESC_SZ); - if (!skb) { - rsi_dbg(ERR_ZONE, "%s: Failed in allocation of skb\n", - __func__); - return -ENOMEM; - } - - memset(skb->data, 0, FRAME_DESC_SZ); - mgmt_frame = (struct rsi_mac_frame *)skb->data; - if (common->band == IEEE80211_BAND_5GHZ) { if ((channel >= 36) && (channel <= 64)) channel = ((channel - 32) / 4); @@ -868,6 +858,16 @@ int rsi_set_channel(struct rsi_common *common, u16 channel) } } + skb = dev_alloc_skb(FRAME_DESC_SZ); + if (!skb) { + rsi_dbg(ERR_ZONE, "%s: Failed in allocation of skb\n", + __func__); + return -ENOMEM; + } + + memset(skb->data, 0, FRAME_DESC_SZ); + mgmt_frame = (struct rsi_mac_frame *)skb->data; + mgmt_frame->desc_word[0] = cpu_to_le16(RSI_WIFI_MGMT_Q << 12); mgmt_frame->desc_word[1] = cpu_to_le16(SCAN_REQUEST); mgmt_frame->desc_word[4] = cpu_to_le16(channel);