[PATCH] drivers/net/wimax/i2400m/fw.c fix possible double free

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2010-03-16 at 14:14 -0700, David Miller wrote: 
> From: Darren Jenkins <darrenrjenkins at gmail.com>
> Date: Tue, 16 Mar 2010 22:46:28 +1100
> 
> > i2400m_fw_check() can free i2400m->fw_hdrs if krealloc() fails causing a double free
> > Add a check so we don't free the memory a second time.
> > 
> > coverity CID: 13455
> > 
> > Signed-off-by: Darren Jenkins <darrenrjenkins at gmail.com>
> 
> Please don't fix it like this, the check is obscure and it's
> allowing other bugs to happen.
> 
> If krealloc() fails, any refrence to i2400m->fw_hdrs is
> referencing freed memory.
> 
> Therefore the krealloc() failure handling in this driver should NULL
> out i2400m->fw_hdrs and that will fix the double kfree problem as well
> as trap any stray references.

I agree with David, the fix is quite obscure. The error path in
i2400m_fw_check()'s call to i2400m_kzrealloc_2x() should be rather
cleaning up in a better way.








[Index of Archives]     [Linux Kernel]     [Linux Wireless]     [Linux Bluetooth]     [Linux Netdev]     [Linux Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux