NFC: fix possible memory leak

Message ID	CAPgLHd_sD6NYc=Dj4yJpHY0yLBuDmQx=upQY=XQLi-9kTycK-Q@mail.gmail.com (mailing list archive)
State	Not Applicable, archived
Headers	show Return-Path: <linux-wireless-owner@vger.kernel.org> MIME-Version: 1.0 Date: Sun, 2 Sep 2012 21:21:46 +0800 Message-ID: <CAPgLHd_sD6NYc=Dj4yJpHY0yLBuDmQx=upQY=XQLi-9kTycK-Q@mail.gmail.com> Subject: [PATCH] NFC: fix possible memory leak From: Wei Yongjun <weiyj.lk@gmail.com> To: lauro.venancio@openbossa.org, aloisio.almeida@openbossa.org, sameo@linux.intel.com, davem@davemloft.net Cc: yongjun_wei@trendmicro.com.cn, linux-wireless@vger.kernel.org, netdev@vger.kernel.org Content-Type: text/plain; charset=ISO-8859-1 Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk

Message ID

CAPgLHd_sD6NYc=Dj4yJpHY0yLBuDmQx=upQY=XQLi-9kTycK-Q@mail.gmail.com (mailing list archive)

State

Not Applicable, archived

Headers

MIME-Version: 1.0
Date: Sun, 2 Sep 2012 21:21:46 +0800
Message-ID: <CAPgLHd_sD6NYc=Dj4yJpHY0yLBuDmQx=upQY=XQLi-9kTycK-Q@mail.gmail.com>
Subject: [PATCH] NFC: fix possible memory leak
From: Wei Yongjun <weiyj.lk@gmail.com>
To: lauro.venancio@openbossa.org, aloisio.almeida@openbossa.org,
	sameo@linux.intel.com, davem@davemloft.net
Cc: yongjun_wei@trendmicro.com.cn, linux-wireless@vger.kernel.org,
	netdev@vger.kernel.org
Content-Type: text/plain; charset=ISO-8859-1
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk

Commit Message

Wei Yongjun Sept. 2, 2012, 1:21 p.m. UTC

From: Wei Yongjun <yongjun_wei@trendmicro.com.cn>

nfc_llcp_build_tlv() malloced the memory and should be free in
nfc_llcp_build_gb() after used, and the same in the error handling
case, otherwise it will cause memory leak.

spatch with a semantic match is used to found this problem.
(http://coccinelle.lip6.fr/)

Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
---
 net/nfc/llcp/llcp.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)



--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Samuel Ortiz Sept. 7, 2012, 5:01 p.m. UTC | #1

Hi Wei,

On Sun, Sep 02, 2012 at 09:21:46PM +0800, Wei Yongjun wrote:
> From: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
> 
> nfc_llcp_build_tlv() malloced the memory and should be free in
> nfc_llcp_build_gb() after used, and the same in the error handling
> case, otherwise it will cause memory leak.
> 
> spatch with a semantic match is used to found this problem.
> (http://coccinelle.lip6.fr/)
> 
> Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
> ---
>  net/nfc/llcp/llcp.c | 14 +++++++++-----
>  1 file changed, 9 insertions(+), 5 deletions(-)
Patch applied, thanks.

Cheers,
Samuel.

diff --git a/net/nfc/llcp/llcp.c b/net/nfc/llcp/llcp.c
index 82f0f75..8152973 100644
--- a/net/nfc/llcp/llcp.c
+++ b/net/nfc/llcp/llcp.c
@@ -426,6 +426,7 @@  static int nfc_llcp_build_gb(struct nfc_llcp_local *local)
 	u8 *miux_tlv, miux_length;
 	__be16 miux;
 	u8 gb_len = 0;
+	int ret = 0;
 
 	version = LLCP_VERSION_11;
 	version_tlv = nfc_llcp_build_tlv(LLCP_TLV_VERSION, &version,
@@ -450,8 +451,8 @@  static int nfc_llcp_build_gb(struct nfc_llcp_local *local)
 	gb_len += ARRAY_SIZE(llcp_magic);
 
 	if (gb_len > NFC_MAX_GT_LEN) {
-		kfree(version_tlv);
-		return -EINVAL;
+		ret = -EINVAL;
+		goto out;
 	}
 
 	gb_cur = local->gb;
@@ -471,12 +472,15 @@  static int nfc_llcp_build_gb(struct nfc_llcp_local *local)
 	memcpy(gb_cur, miux_tlv, miux_length);
 	gb_cur += miux_length;
 
+	local->gb_len = gb_len;
+
+out:
 	kfree(version_tlv);
 	kfree(lto_tlv);
+	kfree(wks_tlv);
+	kfree(miux_tlv);
 
-	local->gb_len = gb_len;
-
-	return 0;
+	return ret;
 }
 
 u8 *nfc_llcp_general_bytes(struct nfc_dev *dev, size_t *general_bytes_len)