From b6b8abe4ddec2cfb3471ea60f965a137cd4d529d Mon Sep 17 00:00:00 2001 From: Holger Schurig Date: Mon, 10 Dec 2007 12:19:55 +0100 Subject: libertas: fix use-after-free error Previously, the display of subscribed events could be wrong. Signed-off-by: Holger Schurig Signed-off-by: David Woodhouse Signed-off-by: John W. Linville --- drivers/net/wireless/libertas/debugfs.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'drivers') diff --git a/drivers/net/wireless/libertas/debugfs.c b/drivers/net/wireless/libertas/debugfs.c index 745191a6896..c5130a2581f 100644 --- a/drivers/net/wireless/libertas/debugfs.c +++ b/drivers/net/wireless/libertas/debugfs.c @@ -410,30 +410,32 @@ static ssize_t lbs_threshold_read( char *buf = (char *)addr; u8 value; u8 freq; + int events = 0; - struct cmd_ds_802_11_subscribe_event *events = kzalloc( + struct cmd_ds_802_11_subscribe_event *subscribed = kzalloc( sizeof(struct cmd_ds_802_11_subscribe_event), GFP_KERNEL); struct mrvlietypes_thresholds *got; res = lbs_prepare_and_send_command(priv, CMD_802_11_SUBSCRIBE_EVENT, CMD_ACT_GET, - CMD_OPTION_WAITFORRSP, 0, events); + CMD_OPTION_WAITFORRSP, 0, subscribed); if (res) { - kfree(events); + kfree(subscribed); return res; } - got = lbs_tlv_find(tlv_type, events->tlv, sizeof(events->tlv)); + got = lbs_tlv_find(tlv_type, subscribed->tlv, sizeof(subscribed->tlv)); if (got) { value = got->value; freq = got->freq; + events = le16_to_cpu(subscribed->events); } - kfree(events); + kfree(subscribed); if (got) pos += snprintf(buf, len, "%d %d %d\n", value, freq, - !!(le16_to_cpu(events->events) & event_mask)); + !!(events & event_mask)); res = simple_read_from_buffer(userbuf, count, ppos, buf, pos); -- cgit v1.2.3