Hi Adrian,
> Commit 8de0a15483b357d0f0b821330ec84d1660cadc4e added the following
> use-after-free in net/bluetooth/rfcomm/tty.c:
>
> <-- snip -->
>
> ...
> static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc *dlc)
> {
> ...
> if (IS_ERR(dev->tty_dev)) {
> list_del(&dev->list);
> kfree(dev);
> return PTR_ERR(dev->tty_dev);
> }
> ...
>
> <-- snip -->
>
> Spotted by the Coverity checker.
really good catch. I fully overlooked that one. The attached patch
should fix it.
Signed-off-by: Marcel Holtmann <[email protected]>
Regards
Marcel
diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
index 23ba61a..22a8320 100644
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -267,7 +267,7 @@ static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc *dlc)
out:
write_unlock_bh(&rfcomm_dev_lock);
- if (err) {
+ if (err < 0) {
kfree(dev);
return err;
}
@@ -275,9 +275,10 @@ out:
dev->tty_dev = tty_register_device(rfcomm_tty_driver, dev->id, NULL);
if (IS_ERR(dev->tty_dev)) {
+ err = PTR_ERR(dev->tty_dev);
list_del(&dev->list);
kfree(dev);
- return PTR_ERR(dev->tty_dev);
+ return err;
}
return dev->id;
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
