2009-07-19 12:51:51

by Dan Carpenter

[permalink] [raw]
Subject: iwmc3200wifi: using freed memory in iwm_hal_send_target_cmd()

Hello,

I found this with a source code checker (http://repo.or.cz/w/smatch.git).

We free "cmd" on line 390 and then dereference it on line 396. I don't
know what we should return in that case or I would have sent a patch.
Sorry.

drivers/net/wireless/iwmc3200wifi/hal.c
390 if (!udma_cmd->resp)
391 kfree(cmd);
392
393 if (ret < 0)
394 return ret;
395
396 return cmd->seq_num;

regards,
dan carpenter


2009-07-20 02:09:34

by Zhu Yi

[permalink] [raw]
Subject: Re: iwmc3200wifi: using freed memory in iwm_hal_send_target_cmd()

On Sun, 2009-07-19 at 19:53 +0800, Dan Carpenter wrote:
> Hello,
>
> I found this with a source code checker (http://repo.or.cz/w/smatch.git).
>
> We free "cmd" on line 390 and then dereference it on line 396. I don't
> know what we should return in that case or I would have sent a patch.
> Sorry.
>
> drivers/net/wireless/iwmc3200wifi/hal.c
> 390 if (!udma_cmd->resp)
> 391 kfree(cmd);
> 392
> 393 if (ret < 0)
> 394 return ret;
> 395
> 396 return cmd->seq_num;

Good catch! I'll send out a patch later.

Thanks,
-yi