NFC: use after free on error

We returned a freed variable on some error paths when the intent was to return a NULL. Part of the reason this was missed was that the code was confusing because it had too many gotos so I removed them and simplified the flow a bit. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Lauro Ramos Venancio <lauro.venancio@openbossa.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
git-mirror · Sep 27, 2011 · 8ebafde · 8ebafde
1 parent 84b1bec
commit 8ebafde
Showing 1 changed file with 6 additions and 8 deletions.
diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
@@ -499,19 +499,19 @@ struct nci_dev *nci_allocate_device(struct nci_ops *ops,
 					int tx_headroom,
 					int tx_tailroom)
 {
-	struct nci_dev *ndev = NULL;
+	struct nci_dev *ndev;
 
 	nfc_dbg("entry, supported_protocols 0x%x", supported_protocols);
 
 	if (!ops->open || !ops->close || !ops->send)
-		goto exit;
+		return NULL;
 
 	if (!supported_protocols)
-		goto exit;
+		return NULL;
 
 	ndev = kzalloc(sizeof(struct nci_dev), GFP_KERNEL);
 	if (!ndev)
-		goto exit;
+		return NULL;
 
 	ndev->ops = ops;
 	ndev->tx_headroom = tx_headroom;
@@ -526,13 +526,11 @@ struct nci_dev *nci_allocate_device(struct nci_ops *ops,
 
 	nfc_set_drvdata(ndev->nfc_dev, ndev);
 
-	goto exit;
+	return ndev;
 
 free_exit:
 	kfree(ndev);
-
-exit:
-	return ndev;
+	return NULL;
 }
 EXPORT_SYMBOL(nci_allocate_device);