Commit 971ad011 authored by Zhu Yi's avatar Zhu Yi Committed by John W. Linville

iwmc3200wifi: fix a use-after-free bug

The patch fixes a use-after-free bug for cmd->seq_num;
Reported-by: default avatarDan Carpenter <error27@gmail.com>
Signed-off-by: default avatarZhu Yi <yi.zhu@intel.com>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent 9c7c0cdd
...@@ -105,9 +105,9 @@ ...@@ -105,9 +105,9 @@
#include "umac.h" #include "umac.h"
#include "debug.h" #include "debug.h"
static void iwm_nonwifi_cmd_init(struct iwm_priv *iwm, static int iwm_nonwifi_cmd_init(struct iwm_priv *iwm,
struct iwm_nonwifi_cmd *cmd, struct iwm_nonwifi_cmd *cmd,
struct iwm_udma_nonwifi_cmd *udma_cmd) struct iwm_udma_nonwifi_cmd *udma_cmd)
{ {
INIT_LIST_HEAD(&cmd->pending); INIT_LIST_HEAD(&cmd->pending);
...@@ -118,7 +118,7 @@ static void iwm_nonwifi_cmd_init(struct iwm_priv *iwm, ...@@ -118,7 +118,7 @@ static void iwm_nonwifi_cmd_init(struct iwm_priv *iwm,
cmd->seq_num = iwm->nonwifi_seq_num; cmd->seq_num = iwm->nonwifi_seq_num;
udma_cmd->seq_num = cpu_to_le16(cmd->seq_num); udma_cmd->seq_num = cpu_to_le16(cmd->seq_num);
cmd->seq_num = iwm->nonwifi_seq_num++; iwm->nonwifi_seq_num++;
iwm->nonwifi_seq_num %= UMAC_NONWIFI_SEQ_NUM_MAX; iwm->nonwifi_seq_num %= UMAC_NONWIFI_SEQ_NUM_MAX;
if (udma_cmd->resp) if (udma_cmd->resp)
...@@ -130,6 +130,8 @@ static void iwm_nonwifi_cmd_init(struct iwm_priv *iwm, ...@@ -130,6 +130,8 @@ static void iwm_nonwifi_cmd_init(struct iwm_priv *iwm,
cmd->buf.len = 0; cmd->buf.len = 0;
memcpy(&cmd->udma_cmd, udma_cmd, sizeof(*udma_cmd)); memcpy(&cmd->udma_cmd, udma_cmd, sizeof(*udma_cmd));
return cmd->seq_num;
} }
u16 iwm_alloc_wifi_cmd_seq(struct iwm_priv *iwm) u16 iwm_alloc_wifi_cmd_seq(struct iwm_priv *iwm)
...@@ -369,7 +371,7 @@ int iwm_hal_send_target_cmd(struct iwm_priv *iwm, ...@@ -369,7 +371,7 @@ int iwm_hal_send_target_cmd(struct iwm_priv *iwm,
const void *payload) const void *payload)
{ {
struct iwm_nonwifi_cmd *cmd; struct iwm_nonwifi_cmd *cmd;
int ret; int ret, seq_num;
cmd = kzalloc(sizeof(struct iwm_nonwifi_cmd), GFP_KERNEL); cmd = kzalloc(sizeof(struct iwm_nonwifi_cmd), GFP_KERNEL);
if (!cmd) { if (!cmd) {
...@@ -377,7 +379,7 @@ int iwm_hal_send_target_cmd(struct iwm_priv *iwm, ...@@ -377,7 +379,7 @@ int iwm_hal_send_target_cmd(struct iwm_priv *iwm,
return -ENOMEM; return -ENOMEM;
} }
iwm_nonwifi_cmd_init(iwm, cmd, udma_cmd); seq_num = iwm_nonwifi_cmd_init(iwm, cmd, udma_cmd);
if (cmd->udma_cmd.opcode == UMAC_HDI_OUT_OPCODE_WRITE || if (cmd->udma_cmd.opcode == UMAC_HDI_OUT_OPCODE_WRITE ||
cmd->udma_cmd.opcode == UMAC_HDI_OUT_OPCODE_WRITE_PERSISTENT) { cmd->udma_cmd.opcode == UMAC_HDI_OUT_OPCODE_WRITE_PERSISTENT) {
...@@ -393,7 +395,7 @@ int iwm_hal_send_target_cmd(struct iwm_priv *iwm, ...@@ -393,7 +395,7 @@ int iwm_hal_send_target_cmd(struct iwm_priv *iwm,
if (ret < 0) if (ret < 0)
return ret; return ret;
return cmd->seq_num; return seq_num;
} }
static void iwm_build_lmac_hdr(struct iwm_priv *iwm, struct iwm_lmac_hdr *hdr, static void iwm_build_lmac_hdr(struct iwm_priv *iwm, struct iwm_lmac_hdr *hdr,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment