38 lines
1.4 KiB
Diff
38 lines
1.4 KiB
Diff
From: Navid Emamdoost <navid.emamdoost@gmail.com>
|
|
Date: Fri, 25 Oct 2019 23:53:30 -0500
|
|
Subject: wimax: i2400: Fix memory leak in i2400m_op_rfkill_sw_toggle
|
|
Origin: https://git.kernel.org/linus/6f3ef5c25cc762687a7341c18cbea5af54461407
|
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-19051
|
|
|
|
In the implementation of i2400m_op_rfkill_sw_toggle() the allocated
|
|
buffer for cmd should be released before returning. The
|
|
documentation for i2400m_msg_to_dev() says when it returns the buffer
|
|
can be reused. Meaning cmd should be released in either case. Move
|
|
kfree(cmd) before return to be reached by all execution paths.
|
|
|
|
Fixes: 2507e6ab7a9a ("wimax: i2400: fix memory leak")
|
|
Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
|
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
|
|
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
---
|
|
drivers/net/wimax/i2400m/op-rfkill.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
--- a/drivers/net/wimax/i2400m/op-rfkill.c
|
|
+++ b/drivers/net/wimax/i2400m/op-rfkill.c
|
|
@@ -142,12 +142,12 @@ int i2400m_op_rfkill_sw_toggle(struct wi
|
|
"%d\n", result);
|
|
result = 0;
|
|
error_cmd:
|
|
- kfree(cmd);
|
|
kfree_skb(ack_skb);
|
|
error_msg_to_dev:
|
|
error_alloc:
|
|
d_fnend(4, dev, "(wimax_dev %p state %d) = %d\n",
|
|
wimax_dev, state, result);
|
|
+ kfree(cmd);
|
|
return result;
|
|
}
|
|
|