projects / openwrt / openwrt.git / blob
? search:


1b56f6d7ce3ca7e530abc9201f98b434feae22a7
[openwrt/openwrt.git] / package / kernel / mac80211 / patches / brcm / 111-v5.6-brcmfmac-Fix-use-after-free-in-brcmf_sdio_readframes.patch
1 From 216b44000ada87a63891a8214c347e05a4aea8fe Mon Sep 17 00:00:00 2001
2 From: Dan Carpenter <dan.carpenter@oracle.com>
3 Date: Tue, 3 Dec 2019 12:58:55 +0300
4 Subject: [PATCH] brcmfmac: Fix use after free in brcmf_sdio_readframes()
5
6 The brcmu_pkt_buf_free_skb() function frees "pkt" so it leads to a
7 static checker warning:
8
9 drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c:1974 brcmf_sdio_readframes()
10 error: dereferencing freed memory 'pkt'
11
12 It looks like there was supposed to be a continue after we free "pkt".
13
14 Fixes: 4754fceeb9a6 ("brcmfmac: streamline SDIO read frame routine")
15 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
16 Acked-by: Franky Lin <franky.lin@broadcom.com>
17 Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
18 ---
19 drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 1 +
20 1 file changed, 1 insertion(+)
21
22 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
23 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
24 @@ -1935,6 +1935,7 @@ static uint brcmf_sdio_readframes(struct
25 BRCMF_SDIO_FT_NORMAL)) {
26 rd->len = 0;
27 brcmu_pkt_buf_free_skb(pkt);
28 + continue;
29 }
30 bus->sdcnt.rx_readahead_cnt++;
31 if (rd->len != roundup(rd_new.len, 16)) {
OpenWrt Source Repository