diff options
author | Kieran Bingham <kieranbingham@gmail.com> | 2015-09-02 14:51:10 +0200 |
---|---|---|
committer | Marcel Holtmann <marcel@holtmann.org> | 2015-09-17 13:20:02 +0200 |
commit | 517a5460a93d641e2beb362d4066f9861f108e2f (patch) | |
tree | 213b888f26c59ea5b46c2533a796edf69a90b0f5 /drivers/bluetooth/btmrvl_main.c | |
parent | Bluetooth: close HCI device when user channel socket gets closed (diff) | |
download | linux-517a5460a93d641e2beb362d4066f9861f108e2f.tar.xz linux-517a5460a93d641e2beb362d4066f9861f108e2f.zip |
Bluetooth: btmrvl: skb resource leak, and double free.
if btmrvl_tx_pkt() is called, and the branch
if (skb_headroom(skb) < BTM_HEADER_LEN)
evaluates positive, a new skb is allocated via skb_realloc_headroom.
The original skb is stored in a tmp variable, before being free'd.
However on success, the new skb, is not free'd, nor is it
returned to the caller which will then double-free the original skb.
This issue exists from the original driver submission in
commit: #132ff4e5fa8dfb71a7d99902f88043113947e972
If this code path had been alive, it would have been noted from the
double-free causing a panic.
All skb's here should be allocated through bt_skb_alloc which
adds 8 bytes as headroom, which is plenty against the 4 bytes
pushed on by this driver.
This code path is dead, and buggy at the same time, so the cleanest
approach is to remove the affected branch.
Reported by coverity (CID 113422)
Signed-off-by: Kieran Bingham <kieranbingham@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Diffstat (limited to '')
-rw-r--r-- | drivers/bluetooth/btmrvl_main.c | 14 |
1 files changed, 0 insertions, 14 deletions
diff --git a/drivers/bluetooth/btmrvl_main.c b/drivers/bluetooth/btmrvl_main.c index de05deb444ce..bc110f61c8b1 100644 --- a/drivers/bluetooth/btmrvl_main.c +++ b/drivers/bluetooth/btmrvl_main.c @@ -377,20 +377,6 @@ static int btmrvl_tx_pkt(struct btmrvl_private *priv, struct sk_buff *skb) return -EINVAL; } - if (skb_headroom(skb) < BTM_HEADER_LEN) { - struct sk_buff *tmp = skb; - - skb = skb_realloc_headroom(skb, BTM_HEADER_LEN); - if (!skb) { - BT_ERR("Tx Error: realloc_headroom failed %d", - BTM_HEADER_LEN); - skb = tmp; - return -EINVAL; - } - - kfree_skb(tmp); - } - skb_push(skb, BTM_HEADER_LEN); /* header type: byte[3] |