From 3e7830ceb94cd06c05832a0d53cf324db3792418 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Fri, 31 Oct 2014 12:14:39 +0300 Subject: [PATCH] HID: logitech-hidpp: leaks and NULL dereferences Shift the allocation down a few lines to avoid a memory leak and also add a check for allocation failure. Fixes: 2f31c5252910 ('HID: Introduce hidpp, a module to handle Logitech hid++ devices') Signed-off-by: Dan Carpenter Reviewed-by: Benjamin Tissoires Signed-off-by: Jiri Kosina --- drivers/hid/hid-logitech-hidpp.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c index 361e97da1169..8d2d54b527b0 100644 --- a/drivers/hid/hid-logitech-hidpp.c +++ b/drivers/hid/hid-logitech-hidpp.c @@ -200,13 +200,15 @@ static int hidpp_send_fap_command_sync(struct hidpp_device *hidpp, u8 feat_index, u8 funcindex_clientid, u8 *params, int param_count, struct hidpp_report *response) { - struct hidpp_report *message = kzalloc(sizeof(struct hidpp_report), - GFP_KERNEL); + struct hidpp_report *message; int ret; if (param_count > sizeof(message->fap.params)) return -EINVAL; + message = kzalloc(sizeof(struct hidpp_report), GFP_KERNEL); + if (!message) + return -ENOMEM; message->report_id = REPORT_ID_HIDPP_LONG; message->fap.feature_index = feat_index; message->fap.funcindex_clientid = funcindex_clientid; @@ -221,8 +223,7 @@ static int hidpp_send_rap_command_sync(struct hidpp_device *hidpp_dev, u8 report_id, u8 sub_id, u8 reg_address, u8 *params, int param_count, struct hidpp_report *response) { - struct hidpp_report *message = kzalloc(sizeof(struct hidpp_report), - GFP_KERNEL); + struct hidpp_report *message; int ret; if ((report_id != REPORT_ID_HIDPP_SHORT) && @@ -232,6 +233,9 @@ static int hidpp_send_rap_command_sync(struct hidpp_device *hidpp_dev, if (param_count > sizeof(message->rap.params)) return -EINVAL; + message = kzalloc(sizeof(struct hidpp_report), GFP_KERNEL); + if (!message) + return -ENOMEM; message->report_id = report_id; message->rap.sub_id = sub_id; message->rap.reg_address = reg_address; -- 2.20.1