HID: picolcd: Eliminate use after free

The skip label frees resp, which has not been allocated at the point of this goto and then does a break, based on the fact that err is non-zero. This is replaced by a break directly. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // <smpl> @free@ expression E; position p; @@ kfree@p(E) @@ expression free.E, subE<=free.E, E1; position free.p; @@ kfree@p(E) ... ( subE = E1 | * E ) // </smpl> Signed-off-by: Julia Lawall <julia@diku.dk> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
git-mirror · May 17, 2010 · aeacb6f · aeacb6f
1 parent 9d71ea0
commit aeacb6f
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/drivers/hid/hid-picolcd.c b/drivers/hid/hid-picolcd.c
@@ -1616,7 +1616,7 @@ static ssize_t _picolcd_flash_write(struct picolcd_data *data, int report_id,
 		raw_data[len_off] = s > 32 ? 32 : s;
 		if (copy_from_user(raw_data+len_off+1, u, raw_data[len_off])) {
 			err = -EFAULT;
-			goto skip;
+			break;
 		}
 		resp = picolcd_send_and_wait(data->hdev, report_id, raw_data,
 				len_off+1+raw_data[len_off]);