Gitweb:     
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=09c7d8293a2d1317d16ef4ddb9f6dd2553d0694e
Commit:     09c7d8293a2d1317d16ef4ddb9f6dd2553d0694e
Parent:     566cfd8f0e049a0647f94714f913e2a975dc464f
Author:     Marcel Holtmann <[EMAIL PROTECTED]>
AuthorDate: Thu Jul 26 00:12:25 2007 -0700
Committer:  David S. Miller <[EMAIL PROTECTED]>
CommitDate: Tue Jul 31 02:28:05 2007 -0700

    [IRDA]: Fix rfcomm use-after-free
    
    Adrian Bunk wrote:
    > Commit 8de0a15483b357d0f0b821330ec84d1660cadc4e added the following
    > use-after-free in net/bluetooth/rfcomm/tty.c:
    >
    > <--  snip  -->
    >
    > ...
    > static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc 
*dlc)
    > {
    > ...
    >         if (IS_ERR(dev->tty_dev)) {
    >                 list_del(&dev->list);
    >                 kfree(dev);
    >                 return PTR_ERR(dev->tty_dev);
    >         }
    > ...
    >
    > <--  snip  -->
    >
    > Spotted by the Coverity checker.
    
    really good catch. I fully overlooked that one. The attached patch
    should fix it.
    
    Signed-off-by: Marcel Holtmann <[EMAIL PROTECTED]>
    Signed-off-by: David S. Miller <[EMAIL PROTECTED]>
---
 net/bluetooth/rfcomm/tty.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
index 23ba61a..22a8320 100644
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -267,7 +267,7 @@ static int rfcomm_dev_add(struct rfcomm_dev_req *req, 
struct rfcomm_dlc *dlc)
 out:
        write_unlock_bh(&rfcomm_dev_lock);
 
-       if (err) {
+       if (err < 0) {
                kfree(dev);
                return err;
        }
@@ -275,9 +275,10 @@ out:
        dev->tty_dev = tty_register_device(rfcomm_tty_driver, dev->id, NULL);
 
        if (IS_ERR(dev->tty_dev)) {
+               err = PTR_ERR(dev->tty_dev);
                list_del(&dev->list);
                kfree(dev);
-               return PTR_ERR(dev->tty_dev);
+               return err;
        }
 
        return dev->id;
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to