Re: [PATCH v2] bluetooth: btmrvl: skb resource leak, and double free.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Kieran,

> if btmrvl_tx_pkt() is called, and the branch
>  if (skb_headroom(skb) < BTM_HEADER_LEN)
> evaluates positive, a new skb is allocated via skb_realloc_headroom.
> 
> The original skb is stored in a tmp variable, before being free'd.
> However on success, the new skb, is not free'd, nor is it
> returned to the caller which will then double-free the original skb.
> 
> This issue exists from the original driver submission in
> commit: #132ff4e5fa8dfb71a7d99902f88043113947e972
> 
> If this code path had been alive, it would have been noted from the
> double-free causing a panic.
> 
> All skb's here should be allocated through bt_skb_alloc which
> adds 8 bytes as headroom, which is plenty against the 4 bytes
> pushed on by this driver.
> 
> This code path is dead, and buggy at the same time, so the cleanest
> approach is to remove the affected branch.
> 
> Reported by coverity (CID 113422)
> 
> Signed-off-by: Kieran Bingham <kieranbingham@xxxxxxxxx>
> ---
> drivers/bluetooth/btmrvl_main.c | 14 --------------
> 1 file changed, 14 deletions(-)

patch has been applied to bluetooth-next tree.

Regards

Marcel

--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Bluez Devel]     [Linux Wireless Networking]     [Linux Wireless Personal Area Networking]     [Linux ATH6KL]     [Linux USB Devel]     [Linux Media Drivers]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux