[PATCH] scsi: ses fix for len and mem leaking when fail to add intf

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



[PATCH] scsi: ses fix for len and mem leaking when fail to add intf

change to u32 before left shifting char
also fix leaking with scomp leaking when failing.

Signed-off-by: Yinghai Lu <yinghai.lu@xxxxxxx>

Index: linux-2.6/drivers/scsi/ses.c
===================================================================
--- linux-2.6.orig/drivers/scsi/ses.c
+++ linux-2.6/drivers/scsi/ses.c
@@ -369,7 +369,7 @@ static void ses_match_to_enclosure(struc
 			     VPD_INQUIRY_SIZE, NULL, SES_TIMEOUT, SES_RETRIES))
 		goto free;
 
-	len = (buf[2] << 8) + buf[3];
+	len = ((u32)buf[2] << 8) + buf[3];
 	desc = buf + 4;
 	while (desc < buf + len) {
 		enum scsi_protocol proto = desc[0] >> 4;
@@ -420,7 +420,7 @@ static int ses_intf_add(struct class_dev
 
 	if (!scsi_device_enclosure(sdev)) {
 		/* not an enclosure, but might be in one */
-		edev = 	enclosure_find(&sdev->host->shost_gendev);
+		edev = enclosure_find(&sdev->host->shost_gendev);
 		if (edev) {
 			ses_match_to_enclosure(edev, sdev);
 			class_device_put(&edev->cdev);
@@ -451,18 +451,18 @@ static int ses_intf_add(struct class_dev
 		goto err_free;
 	}
 
-	len = (hdr_buf[2] << 8) + hdr_buf[3] + 4;
+	len = ((u32)hdr_buf[2] << 8) + hdr_buf[3] + 4;
 	buf = kzalloc(len, GFP_KERNEL);
 	if (!buf)
 		goto err_free;
 
-	ses_dev->page1 = buf;
-	ses_dev->page1_len = len;
-
 	result = ses_recv_diag(sdev, 1, buf, len);
 	if (result)
 		goto recv_failed;
 
+	ses_dev->page1 = buf;
+	ses_dev->page1_len = len;
+
 	types = buf[10];
 	len = buf[11];
 
@@ -474,11 +474,12 @@ static int ses_intf_add(struct class_dev
 			components += type_ptr[1];
 	}
 
+	buf = NULL;
 	result = ses_recv_diag(sdev, 2, hdr_buf, INIT_ALLOC_SIZE);
 	if (result)
 		goto recv_failed;
 
-	len = (hdr_buf[2] << 8) + hdr_buf[3] + 4;
+	len = ((u32)hdr_buf[2] << 8) + hdr_buf[3] + 4;
 	buf = kzalloc(len, GFP_KERNEL);
 	if (!buf)
 		goto err_free;
@@ -492,11 +493,12 @@ static int ses_intf_add(struct class_dev
 
 	/* The additional information page --- allows us
 	 * to match up the devices */
+	buf = NULL;
 	result = ses_recv_diag(sdev, 10, hdr_buf, INIT_ALLOC_SIZE);
 	if (result)
 		goto no_page10;
 
-	len = (hdr_buf[2] << 8) + hdr_buf[3] + 4;
+	len = ((u32)hdr_buf[2] << 8) + hdr_buf[3] + 4;
 	buf = kzalloc(len, GFP_KERNEL);
 	if (!buf)
 		goto err_free;
@@ -506,16 +508,18 @@ static int ses_intf_add(struct class_dev
 		goto recv_failed;
 	ses_dev->page10 = buf;
 	ses_dev->page10_len = len;
+	buf = NULL;
 
  no_page10:
 	scomp = kmalloc(sizeof(struct ses_component) * components, GFP_KERNEL);
 	if (!scomp)
-		goto  err_free;
+		goto err_free;
 
 	edev = enclosure_register(cdev->dev, sdev->sdev_gendev.bus_id,
 				  components, &ses_enclosure_callbacks);
 	if (IS_ERR(edev)) {
 		err = PTR_ERR(edev);
+		kfree(scomp);
 		goto err_free;
 	}
 
@@ -524,24 +528,27 @@ static int ses_intf_add(struct class_dev
 		edev->component[i].scratch = scomp++;
 
 	/* Page 7 for the descriptors is optional */
-	buf = NULL;
 	result = ses_recv_diag(sdev, 7, hdr_buf, INIT_ALLOC_SIZE);
 	if (result)
 		goto simple_populate;
 
-	len = (hdr_buf[2] << 8) + hdr_buf[3] + 4;
+	len = ((u32)hdr_buf[2] << 8) + hdr_buf[3] + 4;
 	/* add 1 for trailing '\0' we'll use */
 	buf = kzalloc(len + 1, GFP_KERNEL);
-	result = ses_recv_diag(sdev, 7, buf, len);
-	if (result) {
+	if (buf)
+		result = ses_recv_diag(sdev, 7, buf, len);
+	else
+		result = 7;
+
  simple_populate:
+	if (result) {
 		kfree(buf);
 		buf = NULL;
 		desc_ptr = NULL;
 		addl_desc_ptr = NULL;
 	} else {
 		desc_ptr = buf + 8;
-		len = (desc_ptr[2] << 8) + desc_ptr[3];
+		len = ((u32)desc_ptr[2] << 8) + desc_ptr[3];
 		/* skip past overall descriptor */
 		desc_ptr += len + 4;
 		addl_desc_ptr = ses_dev->page10 + 8;
@@ -554,7 +561,7 @@ static int ses_intf_add(struct class_dev
 			struct enclosure_component *ecomp;
 
 			if (desc_ptr) {
-				len = (desc_ptr[2] << 8) + desc_ptr[3];
+				len = ((u32)desc_ptr[2] << 8) + desc_ptr[3];
 				desc_ptr += 4;
 				/* Add trailing zero - pushes into
 				 * reserved space */
@@ -575,7 +582,7 @@ static int ses_intf_add(struct class_dev
 							       addl_desc_ptr);
 
 				if (addl_desc_ptr)
-					addl_desc_ptr += addl_desc_ptr[1] + 2;
+					addl_desc_ptr += 2 + addl_desc_ptr[1];
 			}
 		}
 	}
@@ -597,7 +604,6 @@ static int ses_intf_add(struct class_dev
 		    result);
 	err = -ENODEV;
  err_free:
-	kfree(buf);
 	kfree(ses_dev->page10);
 	kfree(ses_dev->page2);
 	kfree(ses_dev->page1);
@@ -630,6 +636,7 @@ static void ses_intf_remove(struct class
 	ses_dev = edev->scratch;
 	edev->scratch = NULL;
 
+	kfree(ses_dev->page10);
 	kfree(ses_dev->page1);
 	kfree(ses_dev->page2);
 	kfree(ses_dev);
-
To unsubscribe from this list: send the line "unsubscribe linux-ide" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Filesystems]     [Linux SCSI]     [Linux RAID]     [Git]     [Kernel Newbies]     [Linux Newbie]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Samba]     [Device Mapper]

  Powered by Linux