Commit 9dc688f9 authored by Roel Kluin's avatar Roel Kluin Committed by James Toy

Allocations may fail, prevent NULL dereferences.

Remaining bug: in drivers/staging/rt2860/rt_main_dev.c rt28xx_probe()
`handle' isn't freed in the case of later errors.
Signed-off-by: default avatarRoel Kluin <roel.kluin@gmail.com>
Acked-by: default avatarBartlomiej Zolnierkiewicz <bzolnier@gmail.com>
Cc: <devel@driverdev.osuosl.org>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
parent 82d78041
...@@ -867,6 +867,8 @@ VOID BAOriSessionTearDown( ...@@ -867,6 +867,8 @@ VOID BAOriSessionTearDown(
// force send specified TID DelBA // force send specified TID DelBA
MLME_DELBA_REQ_STRUCT DelbaReq; MLME_DELBA_REQ_STRUCT DelbaReq;
MLME_QUEUE_ELEM *Elem = (MLME_QUEUE_ELEM *) kmalloc(sizeof(MLME_QUEUE_ELEM), MEM_ALLOC_FLAG); MLME_QUEUE_ELEM *Elem = (MLME_QUEUE_ELEM *) kmalloc(sizeof(MLME_QUEUE_ELEM), MEM_ALLOC_FLAG);
if (Elem == NULL)
return;
NdisZeroMemory(&DelbaReq, sizeof(DelbaReq)); NdisZeroMemory(&DelbaReq, sizeof(DelbaReq));
NdisZeroMemory(Elem, sizeof(MLME_QUEUE_ELEM)); NdisZeroMemory(Elem, sizeof(MLME_QUEUE_ELEM));
...@@ -900,6 +902,8 @@ VOID BAOriSessionTearDown( ...@@ -900,6 +902,8 @@ VOID BAOriSessionTearDown(
{ {
MLME_DELBA_REQ_STRUCT DelbaReq; MLME_DELBA_REQ_STRUCT DelbaReq;
MLME_QUEUE_ELEM *Elem = (MLME_QUEUE_ELEM *) kmalloc(sizeof(MLME_QUEUE_ELEM), MEM_ALLOC_FLAG); MLME_QUEUE_ELEM *Elem = (MLME_QUEUE_ELEM *) kmalloc(sizeof(MLME_QUEUE_ELEM), MEM_ALLOC_FLAG);
if (Elem == NULL)
return;
NdisZeroMemory(&DelbaReq, sizeof(DelbaReq)); NdisZeroMemory(&DelbaReq, sizeof(DelbaReq));
NdisZeroMemory(Elem, sizeof(MLME_QUEUE_ELEM)); NdisZeroMemory(Elem, sizeof(MLME_QUEUE_ELEM));
......
...@@ -2011,6 +2011,8 @@ UINT deaggregate_AMSDU_announce( ...@@ -2011,6 +2011,8 @@ UINT deaggregate_AMSDU_announce(
{ {
// avoid local heap overflow, use dyanamic allocation // avoid local heap overflow, use dyanamic allocation
MLME_QUEUE_ELEM *Elem = (MLME_QUEUE_ELEM *) kmalloc(sizeof(MLME_QUEUE_ELEM), MEM_ALLOC_FLAG); MLME_QUEUE_ELEM *Elem = (MLME_QUEUE_ELEM *) kmalloc(sizeof(MLME_QUEUE_ELEM), MEM_ALLOC_FLAG);
if (Elem == NULL)
return;
memmove(Elem->Msg+(LENGTH_802_11 + LENGTH_802_1_H), pPayload, PayloadSize); memmove(Elem->Msg+(LENGTH_802_11 + LENGTH_802_1_H), pPayload, PayloadSize);
Elem->MsgLen = LENGTH_802_11 + LENGTH_802_1_H + PayloadSize; Elem->MsgLen = LENGTH_802_11 + LENGTH_802_1_H + PayloadSize;
WpaEAPOLKeyAction(pAd, Elem); WpaEAPOLKeyAction(pAd, Elem);
......
...@@ -777,6 +777,8 @@ INT __devinit rt28xx_probe( ...@@ -777,6 +777,8 @@ INT __devinit rt28xx_probe(
// Allocate RTMP_ADAPTER miniport adapter structure // Allocate RTMP_ADAPTER miniport adapter structure
handle = kmalloc(sizeof(struct os_cookie), GFP_KERNEL); handle = kmalloc(sizeof(struct os_cookie), GFP_KERNEL);
if (handle == NULL)
goto err_out_free_netdev;;
RT28XX_HANDLE_DEV_ASSIGN(handle, dev_p); RT28XX_HANDLE_DEV_ASSIGN(handle, dev_p);
status = RTMPAllocAdapterBlock(handle, &pAd); status = RTMPAllocAdapterBlock(handle, &pAd);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment