NFC: digital: Fix potential skb leaks in NFC-DEP code
authorMark A. Greer <mgreer@animalcreek.com>
Tue, 23 Sep 2014 23:38:02 +0000 (16:38 -0700)
committerSamuel Ortiz <sameo@linux.intel.com>
Fri, 28 Nov 2014 11:37:47 +0000 (12:37 +0100)
When digital_in_send_cmd() or digital_tg_send_cmd()
fail, they do not free the skb that was passed to
them so the routine that allocated the skb should
free it.  Currently, there are several routines in
the NFC-DEP code that don't do this so make them.

Reviewed-by: Thierry Escande <thierry.escande@linux.intel.com>
Tested-by: Thierry Escande <thierry.escande@linux.intel.com>
Signed-off-by: Mark A. Greer <mgreer@animalcreek.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
net/nfc/digital_dep.c

index b60aa35c074f5220f0b939b347881cab8e6c9db8..70fcce03e8a9e58019959bb68923af32d7abf898 100644 (file)
@@ -198,6 +198,7 @@ static int digital_in_send_psl_req(struct nfc_digital_dev *ddev,
 {
        struct sk_buff *skb;
        struct digital_psl_req *psl_req;
+       int rc;
 
        skb = digital_skb_alloc(ddev, sizeof(*psl_req));
        if (!skb)
@@ -217,8 +218,12 @@ static int digital_in_send_psl_req(struct nfc_digital_dev *ddev,
 
        ddev->skb_add_crc(skb);
 
-       return digital_in_send_cmd(ddev, skb, 500, digital_in_recv_psl_res,
-                                  target);
+       rc = digital_in_send_cmd(ddev, skb, 500, digital_in_recv_psl_res,
+                                target);
+       if (rc)
+               kfree_skb(skb);
+
+       return rc;
 }
 
 static void digital_in_recv_atr_res(struct nfc_digital_dev *ddev, void *arg,
@@ -286,6 +291,7 @@ int digital_in_send_atr_req(struct nfc_digital_dev *ddev,
        struct sk_buff *skb;
        struct digital_atr_req *atr_req;
        uint size;
+       int rc;
 
        size = DIGITAL_ATR_REQ_MIN_SIZE + gb_len;
 
@@ -325,8 +331,12 @@ int digital_in_send_atr_req(struct nfc_digital_dev *ddev,
 
        ddev->skb_add_crc(skb);
 
-       return digital_in_send_cmd(ddev, skb, 500, digital_in_recv_atr_res,
-                                  target);
+       rc = digital_in_send_cmd(ddev, skb, 500, digital_in_recv_atr_res,
+                                target);
+       if (rc)
+               kfree_skb(skb);
+
+       return rc;
 }
 
 static int digital_in_send_rtox(struct nfc_digital_dev *ddev,
@@ -357,6 +367,8 @@ static int digital_in_send_rtox(struct nfc_digital_dev *ddev,
 
        rc = digital_in_send_cmd(ddev, skb, 1500, digital_in_recv_dep_res,
                                 data_exch);
+       if (rc)
+               kfree_skb(skb);
 
        return rc;
 }
@@ -634,7 +646,6 @@ static int digital_tg_send_psl_res(struct nfc_digital_dev *ddev, u8 did,
 
        rc = digital_tg_send_cmd(ddev, skb, 0, digital_tg_send_psl_res_complete,
                                 (void *)(unsigned long)rf_tech);
-
        if (rc)
                kfree_skb(skb);
 
@@ -758,10 +769,8 @@ static int digital_tg_send_atr_res(struct nfc_digital_dev *ddev,
 
        rc = digital_tg_send_cmd(ddev, skb, 999,
                                 digital_tg_send_atr_res_complete, NULL);
-       if (rc) {
+       if (rc)
                kfree_skb(skb);
-               return rc;
-       }
 
        return rc;
 }