mwifiex: fix error handling in mwifiex_create_custom_regdomain
authorBob Copeland <me@bobcopeland.com>
Wed, 14 Sep 2016 12:42:36 +0000 (08:42 -0400)
committerKalle Valo <kvalo@codeaurora.org>
Sat, 17 Sep 2016 15:25:57 +0000 (18:25 +0300)
smatch reports:

sta_cmdresp.c:1053 mwifiex_create_custom_regdomain() warn: possible memory leak of 'regd'

Indeed, mwifiex_create_custom_regdomain() returns NULL in the
case that channel is missing in the TLV without freeing regd.

Moreover, some other error paths in this function return ERR_PTR
values which are assigned without checking to the regd field in
the mwifiex_adapter struct.  The latter is only null-checked where
used.

Fix by freeing regd in the error path, and only update
priv->adapter->regd if the returned pointer is valid.

Cc: Amitkumar Karwar <akarwar@marvell.com>
Cc: Nishant Sarmukadam <nishants@marvell.com>
Signed-off-by: Bob Copeland <me@bobcopeland.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c

index 3344a26bed03f3207fcb1dd8a48730ab48ef2eb9..8548027abf71bbe01d2f115e938d3cc79f2da086 100644 (file)
@@ -1049,8 +1049,10 @@ mwifiex_create_custom_regdomain(struct mwifiex_private *priv,
                enum nl80211_band band;
 
                chan = *buf++;
-               if (!chan)
+               if (!chan) {
+                       kfree(regd);
                        return NULL;
+               }
                chflags = *buf++;
                band = (chan <= 14) ? NL80211_BAND_2GHZ : NL80211_BAND_5GHZ;
                freq = ieee80211_channel_to_frequency(chan, band);
@@ -1116,6 +1118,7 @@ static int mwifiex_ret_chan_region_cfg(struct mwifiex_private *priv,
        u16 action = le16_to_cpu(reg->action);
        u16 tlv, tlv_buf_len, tlv_buf_left;
        struct mwifiex_ie_types_header *head;
+       struct ieee80211_regdomain *regd;
        u8 *tlv_buf;
 
        if (action != HostCmd_ACT_GEN_GET)
@@ -1137,10 +1140,10 @@ static int mwifiex_ret_chan_region_cfg(struct mwifiex_private *priv,
                        mwifiex_dbg_dump(priv->adapter, CMD_D, "CHAN:",
                                         (u8 *)head + sizeof(*head),
                                         tlv_buf_len);
-                       priv->adapter->regd =
-                               mwifiex_create_custom_regdomain(priv,
-                                                               (u8 *)head +
-                                               sizeof(*head), tlv_buf_len);
+                       regd = mwifiex_create_custom_regdomain(priv,
+                               (u8 *)head + sizeof(*head), tlv_buf_len);
+                       if (!IS_ERR(regd))
+                               priv->adapter->regd = regd;
                        break;
                }