summaryrefslogtreecommitdiffstats
path: root/drivers/net/wireless/libertas/debugfs.c
diff options
context:
space:
mode:
authorHolger Schurig <hs4233@mail.mn-solutions.de>2007-12-10 12:19:55 +0100
committerDavid S. Miller <davem@davemloft.net>2008-01-29 00:06:34 +0100
commitb6b8abe4ddec2cfb3471ea60f965a137cd4d529d (patch)
treebd666f4ecea2477fb7734abfb0e5a150549694e2 /drivers/net/wireless/libertas/debugfs.c
parentlibertas: kill (IS,SET,UNSET)_MESH_FRAME. (diff)
downloadlinux-b6b8abe4ddec2cfb3471ea60f965a137cd4d529d.tar.xz
linux-b6b8abe4ddec2cfb3471ea60f965a137cd4d529d.zip
libertas: fix use-after-free error
Previously, the display of subscribed events could be wrong. Signed-off-by: Holger Schurig <hs4233@mail.mn-solutions.de> Signed-off-by: David Woodhouse <dwmw2@infradead.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers/net/wireless/libertas/debugfs.c')
-rw-r--r--drivers/net/wireless/libertas/debugfs.c14
1 files changed, 8 insertions, 6 deletions
diff --git a/drivers/net/wireless/libertas/debugfs.c b/drivers/net/wireless/libertas/debugfs.c
index 745191a68962..c5130a2581fe 100644
--- a/drivers/net/wireless/libertas/debugfs.c
+++ b/drivers/net/wireless/libertas/debugfs.c
@@ -410,30 +410,32 @@ static ssize_t lbs_threshold_read(
char *buf = (char *)addr;
u8 value;
u8 freq;
+ int events = 0;
- struct cmd_ds_802_11_subscribe_event *events = kzalloc(
+ struct cmd_ds_802_11_subscribe_event *subscribed = kzalloc(
sizeof(struct cmd_ds_802_11_subscribe_event),
GFP_KERNEL);
struct mrvlietypes_thresholds *got;
res = lbs_prepare_and_send_command(priv,
CMD_802_11_SUBSCRIBE_EVENT, CMD_ACT_GET,
- CMD_OPTION_WAITFORRSP, 0, events);
+ CMD_OPTION_WAITFORRSP, 0, subscribed);
if (res) {
- kfree(events);
+ kfree(subscribed);
return res;
}
- got = lbs_tlv_find(tlv_type, events->tlv, sizeof(events->tlv));
+ got = lbs_tlv_find(tlv_type, subscribed->tlv, sizeof(subscribed->tlv));
if (got) {
value = got->value;
freq = got->freq;
+ events = le16_to_cpu(subscribed->events);
}
- kfree(events);
+ kfree(subscribed);
if (got)
pos += snprintf(buf, len, "%d %d %d\n", value, freq,
- !!(le16_to_cpu(events->events) & event_mask));
+ !!(events & event_mask));
res = simple_read_from_buffer(userbuf, count, ppos, buf, pos);