iwmc3200wifi: fix a use-after-free bug
The patch fixes a use-after-free bug for cmd->seq_num; Reported-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Zhu Yi <yi.zhu@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
This commit is contained in:
Zhu Yi
John W. Linville
@@ -105,7 +105,7 @@
|
|||||||
#include "umac.h"
|
#include "umac.h"
|
||||||
#include "debug.h"
|
#include "debug.h"
|
||||||
|
|
||||||
static void iwm_nonwifi_cmd_init(struct iwm_priv *iwm,
|
static int iwm_nonwifi_cmd_init(struct iwm_priv *iwm,
|
||||||
struct iwm_nonwifi_cmd *cmd,
|
struct iwm_nonwifi_cmd *cmd,
|
||||||
struct iwm_udma_nonwifi_cmd *udma_cmd)
|
struct iwm_udma_nonwifi_cmd *udma_cmd)
|
||||||
{
|
{
|
||||||
@@ -118,7 +118,7 @@ static void iwm_nonwifi_cmd_init(struct iwm_priv *iwm,
|
|||||||
cmd->seq_num = iwm->nonwifi_seq_num;
|
cmd->seq_num = iwm->nonwifi_seq_num;
|
||||||
udma_cmd->seq_num = cpu_to_le16(cmd->seq_num);
|
udma_cmd->seq_num = cpu_to_le16(cmd->seq_num);
|
||||||
|
|
||||||
cmd->seq_num = iwm->nonwifi_seq_num++;
|
iwm->nonwifi_seq_num++;
|
||||||
iwm->nonwifi_seq_num %= UMAC_NONWIFI_SEQ_NUM_MAX;
|
iwm->nonwifi_seq_num %= UMAC_NONWIFI_SEQ_NUM_MAX;
|
||||||
|
|
||||||
if (udma_cmd->resp)
|
if (udma_cmd->resp)
|
||||||
@@ -130,6 +130,8 @@ static void iwm_nonwifi_cmd_init(struct iwm_priv *iwm,
|
|||||||
cmd->buf.len = 0;
|
cmd->buf.len = 0;
|
||||||
|
|
||||||
memcpy(&cmd->udma_cmd, udma_cmd, sizeof(*udma_cmd));
|
memcpy(&cmd->udma_cmd, udma_cmd, sizeof(*udma_cmd));
|
||||||
|
|
||||||
|
return cmd->seq_num;
|
||||||
}
|
}
|
||||||
|
|
||||||
u16 iwm_alloc_wifi_cmd_seq(struct iwm_priv *iwm)
|
u16 iwm_alloc_wifi_cmd_seq(struct iwm_priv *iwm)
|
||||||
@@ -369,7 +371,7 @@ int iwm_hal_send_target_cmd(struct iwm_priv *iwm,
|
|||||||
const void *payload)
|
const void *payload)
|
||||||
{
|
{
|
||||||
struct iwm_nonwifi_cmd *cmd;
|
struct iwm_nonwifi_cmd *cmd;
|
||||||
int ret;
|
int ret, seq_num;
|
||||||
|
|
||||||
cmd = kzalloc(sizeof(struct iwm_nonwifi_cmd), GFP_KERNEL);
|
cmd = kzalloc(sizeof(struct iwm_nonwifi_cmd), GFP_KERNEL);
|
||||||
if (!cmd) {
|
if (!cmd) {
|
||||||
@@ -377,7 +379,7 @@ int iwm_hal_send_target_cmd(struct iwm_priv *iwm,
|
|||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
}
|
}
|
||||||
|
|
||||||
iwm_nonwifi_cmd_init(iwm, cmd, udma_cmd);
|
seq_num = iwm_nonwifi_cmd_init(iwm, cmd, udma_cmd);
|
||||||
|
|
||||||
if (cmd->udma_cmd.opcode == UMAC_HDI_OUT_OPCODE_WRITE ||
|
if (cmd->udma_cmd.opcode == UMAC_HDI_OUT_OPCODE_WRITE ||
|
||||||
cmd->udma_cmd.opcode == UMAC_HDI_OUT_OPCODE_WRITE_PERSISTENT) {
|
cmd->udma_cmd.opcode == UMAC_HDI_OUT_OPCODE_WRITE_PERSISTENT) {
|
||||||
@@ -393,7 +395,7 @@ int iwm_hal_send_target_cmd(struct iwm_priv *iwm,
|
|||||||
if (ret < 0)
|
if (ret < 0)
|
||||||
return ret;
|
return ret;
|
||||||
|
|
||||||
return cmd->seq_num;
|
return seq_num;
|
||||||
}
|
}
|
||||||
|
|
||||||
static void iwm_build_lmac_hdr(struct iwm_priv *iwm, struct iwm_lmac_hdr *hdr,
|
static void iwm_build_lmac_hdr(struct iwm_priv *iwm, struct iwm_lmac_hdr *hdr,
|
||||||
|
|||||||
Reference in New Issue
Block a user