Gitweb:     
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=776c0e96edecf77f827a62d2a1641cc2ca479043
Commit:     776c0e96edecf77f827a62d2a1641cc2ca479043
Parent:     4330eb2e5fb6d3c9c0a0be8ed14793f72334d1d4
Author:     Jiri Kosina <[EMAIL PROTECTED]>
AuthorDate: Wed Feb 21 17:18:03 2007 +0100
Committer:  Jiri Kosina <[EMAIL PROTECTED]>
CommitDate: Thu Mar 1 09:52:43 2007 +0100

    HID: fix possible double-free on error path in hid parser
    
    Freeing of device->collection is properly done in hid_free_device() (as
    this function is supposed to free all the device resources and could be
    called from transport specific code, e.g. usb_hid_configure()).
    
    Remove all kfree() calls preceeding the hid_free_device() call.
    
    Signed-off-by: Jiri Kosina <[EMAIL PROTECTED]>
---
 drivers/hid/hid-core.c |    5 -----
 1 files changed, 0 insertions(+), 5 deletions(-)

diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index aeeb679..f4ee1af 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -667,7 +667,6 @@ struct hid_device *hid_parse_report(__u8 *start, unsigned 
size)
 
                if (item.format != HID_ITEM_FORMAT_SHORT) {
                        dbg("unexpected long global item");
-                       kfree(device->collection);
                        hid_free_device(device);
                        kfree(parser);
                        return NULL;
@@ -676,7 +675,6 @@ struct hid_device *hid_parse_report(__u8 *start, unsigned 
size)
                if (dispatch_type[item.type](parser, &item)) {
                        dbg("item %u %u %u %u parsing failed\n",
                                item.format, (unsigned)item.size, 
(unsigned)item.type, (unsigned)item.tag);
-                       kfree(device->collection);
                        hid_free_device(device);
                        kfree(parser);
                        return NULL;
@@ -685,14 +683,12 @@ struct hid_device *hid_parse_report(__u8 *start, unsigned 
size)
                if (start == end) {
                        if (parser->collection_stack_ptr) {
                                dbg("unbalanced collection at end of report 
description");
-                               kfree(device->collection);
                                hid_free_device(device);
                                kfree(parser);
                                return NULL;
                        }
                        if (parser->local.delimiter_depth) {
                                dbg("unbalanced delimiter at end of report 
description");
-                               kfree(device->collection);
                                hid_free_device(device);
                                kfree(parser);
                                return NULL;
@@ -703,7 +699,6 @@ struct hid_device *hid_parse_report(__u8 *start, unsigned 
size)
        }
 
        dbg("item fetching failed at offset %d\n", (int)(end - start));
-       kfree(device->collection);
        hid_free_device(device);
        kfree(parser);
        return NULL;
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to