Skip to content

Commit

Permalink
NFC: pn533: Fix use after free
Browse files Browse the repository at this point in the history 
cmd was freed in pn533_dep_link_up regardless of
pn533_send_cmd_frame_async return code. Cmd is passed as argument to
pn533_in_dep_link_up_complete callback and should be freed there.

Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
  • Loading branch information
Szymon Janc authored and Samuel Ortiz committed Nov 19, 2012
1 parent 60ad07a commit 770f750
Showing 1 changed file with 2 additions and 6 deletions.
8 changes: 2 additions & 6 deletions drivers/nfc/pn533.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1820,12 +1820,8 @@ static int pn533_dep_link_up(struct nfc_dev *nfc_dev, struct nfc_target *target,
rc = pn533_send_cmd_frame_async(dev, dev->out_frame, dev->in_frame,
dev->in_maxlen, pn533_in_dep_link_up_complete,
cmd, GFP_KERNEL);
if (rc)
goto out;


out:
kfree(cmd);
if (rc < 0)
kfree(cmd);

return rc;
}
Expand Down

0 comments on commit 770f750

Please sign in to comment.