| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 11 Jan 2016 15:04:31 +0100 From: Stanislaw Gruszka <sgruszka@...hat.com> To: Jia-Ju Bai <baijiaju1990@....com> Cc: kvalo@...eaurora.org, johannes.berg@...el.com, emmanuel.grumbach@...el.com, ilw@...ux.intel.com, linuxwifi@...el.com, linux-wireless@...r.kernel.org, netdev@...r.kernel.org Subject: Re: [PATCH v2] iwl4965: Fix a null pointer dereference in il_tx_queue_free and il_cmd_queue_free On Mon, Jan 11, 2016 at 09:42:54PM +0800, Jia-Ju Bai wrote: > If "txq->cmd = kzalloc(...)" in il_tx_queue_init fails, > "kfree(txq->cmd[i])" in il_tx_queue_free and il_cmd_queue_free > in iwl4965_hw_txq_ctx_free will causes a null pointer dereference, > because txq->cmd is NULL at that time. > > This patch fixes this problem by adding a if-check before kfree. > To avoid double free in il_tx_queue_free and il_cmd_queue_free > caused by the fixing, txq->meta and txq->cmd in error handling code > of il_tx_queue_init are assigned null values. > Otherwise, a double free will occur. > > This patch has been tested in real device, and it actually fixes the bug. > Thanks Stanislaw for his suggestion. > > Signed-off-by: Jia-Ju Bai <baijiaju1990@....com> Acked-by: Stanislaw Gruszka <sgruszka@...hat.com>
Powered by blists - more mailing lists