Return-path: Received: from fw.wantstofly.org ([80.101.37.227]:61054 "EHLO mail.wantstofly.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753395Ab3AGDTW (ORCPT ); Sun, 6 Jan 2013 22:19:22 -0500 Date: Mon, 7 Jan 2013 04:19:18 +0100 From: Lennert Buytenhek To: Nickolai Zeldovich Cc: "John W. Linville" , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] drivers/net/wireless/mwl8k.c: avoid use-after-free Message-ID: <20130107031918.GA27530@wantstofly.org> (sfid-20130107_041937_376663_CC1D9B8D) References: <1357522042-39255-1-git-send-email-nickolai@csail.mit.edu> <20130107024827.GZ27530@wantstofly.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii In-Reply-To: Sender: linux-wireless-owner@vger.kernel.org List-ID: On Sun, Jan 06, 2013 at 10:02:14PM -0500, Nickolai Zeldovich wrote: > > Good catch, but the patch would be better titled "mwl8k.c: avoid > > having a working driver", as the station_id return code _is_ needed > > by the caller in case of success. > > I'm not quite sure what you mean -- is there something subtle going on > here? I believe my patch preserves the semantics of the original > code: it returns the value of p->station_id if mwl8k_post_cmd() > returned 0, but it just does so by reading p->station_id first before > calling kfree(cmd). Oops! You're right. Sorry about that. /me goes to order some crow for dinner