The new code calls kfree(creq) and on the wreq->essid_len > IEEE80211_MAX_SSID_LEN
case it also unlocks the rdev lock.
This was found with a static checker and compile tested only. :/
Signed-off-by: Dan Carpenter <error27@xxxxxxxxx>
--- orig/net/wireless/scan.c 2009-12-23 08:38:15.000000000 +0200
+++ devel/net/wireless/scan.c 2009-12-23 08:50:15.000000000 +0200
@@ -685,7 +685,7 @@ int cfg80211_wext_siwscan(struct net_dev
/* No channels found? */
if (!i) {
err = -EINVAL;
- goto out;
+ goto out1;
}
/* Set real number of channels specified in creq->channels[] */
@@ -694,8 +694,10 @@ int cfg80211_wext_siwscan(struct net_dev
/* translate "Scan for SSID" request */
if (wreq) {
if (wrqu->data.flags & IW_SCAN_THIS_ESSID) {
- if (wreq->essid_len > IEEE80211_MAX_SSID_LEN)
- return -EINVAL;
+ if (wreq->essid_len > IEEE80211_MAX_SSID_LEN) {
+ err = -EINVAL;
+ goto out1;
+ }
memcpy(creq->ssids[0].ssid, wreq->essid, wreq->essid_len);
creq->ssids[0].ssid_len = wreq->essid_len;
}
@@ -705,6 +707,7 @@ int cfg80211_wext_siwscan(struct net_dev
rdev->scan_req = creq;
err = rdev->ops->scan(wiphy, dev, creq);
+out1:
if (err) {
rdev->scan_req = NULL;
kfree(creq);
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
