| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 17 Aug 2023 17:35:28 +0800
From: Konstantin Meskhidze <konstantin.meskhidze@...wei.com>
To: <marcel@...tmann.org>
CC: <johan.hedberg@...il.com>, <luiz.dentz@...il.com>,
<seema.sreemantha@...el.com>, <kiran.k@...el.com>,
<linux-bluetooth@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
<yusongping@...wei.com>, <artem.kuzin@...wei.com>
Subject: [PATCH] Bluetooth: btintel: fix dereference after free in btintel_ppag_callback()
'buffer.pointer' is freed and then dereferenced via 'p' pointer at
'bt_dev_warn' function call.
Fixes: c585a92b2f9c ("Bluetooth: btintel: Set Per Platform Antenna Gain(PPAG)")
Co-developed-by: Ivanov Mikhail <ivanov.mikhail1@...wei-partners.com>
Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@...wei.com>
---
drivers/bluetooth/btintel.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c
index d9349ba48..4ac1eba9c 100644
--- a/drivers/bluetooth/btintel.c
+++ b/drivers/bluetooth/btintel.c
@@ -1340,11 +1340,11 @@ static acpi_status btintel_ppag_callback(acpi_handle handle, u32 lvl, void *data
p = buffer.pointer;
ppag = (struct btintel_ppag *)data;
if (p->type != ACPI_TYPE_PACKAGE || p->package.count != 2) {
- kfree(buffer.pointer);
bt_dev_warn(hdev, "PPAG-BT: Invalid object type: %d or package count: %d",
p->type, p->package.count);
+ kfree(buffer.pointer);
ppag->status = AE_ERROR;
return AE_ERROR;
}
--
2.34.1
Powered by blists - more mailing lists