tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

staging: rtl8712: fix use after free bugs

_Read/Write_MACREG callbacks are NULL so the read/write_macreg_hdl()
functions don't do anything except free the "pcmd" pointer. It
results in a use after free. Delete them.

Fixes: 2865d42c78a9 ("staging: r8712u: Add the new driver to the mainline kernel")
Cc: stable <stable@kernel.org>
Reported-by: Zheng Wang <hackerzheng666@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/Yw4ASqkYcUhUfoY2@kili
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Dan Carpenter and committed by
Greg Kroah-Hartman e230a445 e01f5c8d

-36
-36
drivers/staging/rtl8712/rtl8712_cmd.c
··· 117 117 kfree(pdrvcmd->pbuf); 118 118 } 119 119 120 - static u8 read_macreg_hdl(struct _adapter *padapter, u8 *pbuf) 121 - { 122 - void (*pcmd_callback)(struct _adapter *dev, struct cmd_obj *pcmd); 123 - struct cmd_obj *pcmd = (struct cmd_obj *)pbuf; 124 - 125 - /* invoke cmd->callback function */ 126 - pcmd_callback = cmd_callback[pcmd->cmdcode].callback; 127 - if (!pcmd_callback) 128 - r8712_free_cmd_obj(pcmd); 129 - else 130 - pcmd_callback(padapter, pcmd); 131 - return H2C_SUCCESS; 132 - } 133 - 134 - static u8 write_macreg_hdl(struct _adapter *padapter, u8 *pbuf) 135 - { 136 - void (*pcmd_callback)(struct _adapter *dev, struct cmd_obj *pcmd); 137 - struct cmd_obj *pcmd = (struct cmd_obj *)pbuf; 138 - 139 - /* invoke cmd->callback function */ 140 - pcmd_callback = cmd_callback[pcmd->cmdcode].callback; 141 - if (!pcmd_callback) 142 - r8712_free_cmd_obj(pcmd); 143 - else 144 - pcmd_callback(padapter, pcmd); 145 - return H2C_SUCCESS; 146 - } 147 - 148 120 static u8 read_bbreg_hdl(struct _adapter *padapter, u8 *pbuf) 149 121 { 150 122 struct cmd_obj *pcmd = (struct cmd_obj *)pbuf; ··· 185 213 pcmd_r = NULL; 186 214 187 215 switch (pcmd->cmdcode) { 188 - case GEN_CMD_CODE(_Read_MACREG): 189 - read_macreg_hdl(padapter, (u8 *)pcmd); 190 - pcmd_r = pcmd; 191 - break; 192 - case GEN_CMD_CODE(_Write_MACREG): 193 - write_macreg_hdl(padapter, (u8 *)pcmd); 194 - pcmd_r = pcmd; 195 - break; 196 216 case GEN_CMD_CODE(_Read_BBREG): 197 217 read_bbreg_hdl(padapter, (u8 *)pcmd); 198 218 break;