]> git.proxmox.com Git - mirror_ubuntu-eoan-kernel.git/commitdiff
ath10k: fix potential memory leak in ath10k_wmi_tlv_op_pull_fw_stats()
authorChristian Lamparter <chunkeey@googlemail.com>
Thu, 29 Dec 2016 14:12:09 +0000 (16:12 +0200)
committerKalle Valo <kvalo@qca.qualcomm.com>
Fri, 30 Dec 2016 09:11:17 +0000 (11:11 +0200)
ath10k_wmi_tlv_op_pull_fw_stats() uses tb = ath10k_wmi_tlv_parse_alloc(...)
function, which allocates memory. If any of the three error-paths are
taken, this tb needs to be freed.

Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
drivers/net/wireless/ath/ath10k/wmi-tlv.c

index f304f6632c4f469f917e92b77e2fcb29f5944039..1f6bb9e8bb0125f815214bb437d4fe5726f8e7ec 100644 (file)
@@ -1105,8 +1105,10 @@ static int ath10k_wmi_tlv_op_pull_fw_stats(struct ath10k *ar,
                struct ath10k_fw_stats_pdev *dst;
 
                src = data;
-               if (data_len < sizeof(*src))
+               if (data_len < sizeof(*src)) {
+                       kfree(tb);
                        return -EPROTO;
+               }
 
                data += sizeof(*src);
                data_len -= sizeof(*src);
@@ -1126,8 +1128,10 @@ static int ath10k_wmi_tlv_op_pull_fw_stats(struct ath10k *ar,
                struct ath10k_fw_stats_vdev *dst;
 
                src = data;
-               if (data_len < sizeof(*src))
+               if (data_len < sizeof(*src)) {
+                       kfree(tb);
                        return -EPROTO;
+               }
 
                data += sizeof(*src);
                data_len -= sizeof(*src);
@@ -1145,8 +1149,10 @@ static int ath10k_wmi_tlv_op_pull_fw_stats(struct ath10k *ar,
                struct ath10k_fw_stats_peer *dst;
 
                src = data;
-               if (data_len < sizeof(*src))
+               if (data_len < sizeof(*src)) {
+                       kfree(tb);
                        return -EPROTO;
+               }
 
                data += sizeof(*src);
                data_len -= sizeof(*src);