From d6a6c916189e4ef0512a1620afc3c88a114e825d Mon Sep 17 00:00:00 2001 From: Christian Engelmayer Date: Wed, 7 May 2014 21:30:23 +0200 Subject: [PATCH] staging: rtl8188eu: fix potential leak in rtw_wx_read32() Function rtw_wx_read32() dynamically allocates a temporary buffer that is not freed in all error paths. Use a centralized exit path and make sure that all memory is freed correctly. Detected by Coverity - CID 1077711. Signed-off-by: Christian Engelmayer Signed-off-by: Greg Kroah-Hartman --- drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c index cf30a08912d1..45b47e2840b7 100644 --- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c +++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c @@ -2154,6 +2154,7 @@ static int rtw_wx_read32(struct net_device *dev, u32 bytes; u8 *ptmp; int rv; + int ret = 0; padapter = (struct adapter *)rtw_netdev_priv(dev); p = &wrqu->data; @@ -2163,16 +2164,16 @@ static int rtw_wx_read32(struct net_device *dev, return -ENOMEM; if (copy_from_user(ptmp, p->pointer, len)) { - kfree(ptmp); - return -EFAULT; + ret = -EFAULT; + goto exit; } bytes = 0; addr = 0; rv = sscanf(ptmp, "%d,%x", &bytes, &addr); if (rv != 2) { - kfree(ptmp); - return -EINVAL; + ret = -EINVAL; + goto exit; } switch (bytes) { @@ -2190,12 +2191,14 @@ static int rtw_wx_read32(struct net_device *dev, break; default: DBG_88E(KERN_INFO "%s: usage> read [bytes],[address(hex)]\n", __func__); - return -EINVAL; + ret = -EINVAL; + goto exit; } DBG_88E(KERN_INFO "%s: addr = 0x%08X data =%s\n", __func__, addr, extra); +exit: kfree(ptmp); - return 0; + return ret; } static int rtw_wx_write32(struct net_device *dev, -- 2.39.5