aboutsummaryrefslogtreecommitdiffstatshomepage
diff options
context:
space:
mode:
authorColin Ian King <colin.king@canonical.com>2017-06-30 11:08:43 +0100
committerKalle Valo <kvalo@codeaurora.org>2017-07-27 13:58:18 +0300
commitd0116f6f7b306bc2d1bfc98d7c7c80fe5f468c20 (patch)
tree3b6e61f28156cb110ef8b1be486f285009c594eb
parentmwifiex: correct channel stat buffer overflows (diff)
downloadwireguard-linux-d0116f6f7b306bc2d1bfc98d7c7c80fe5f468c20.tar.xz
wireguard-linux-d0116f6f7b306bc2d1bfc98d7c7c80fe5f468c20.zip
rtlwifi: kfree entry until after entry->bssid has been accessed
The current code kfree's entry and then dereferences it by accessing entry->bssid. Avoid the dereference-after-free by moving the kfree after the access to entry->bssid. Detected by CoverityScan, CID#1448600 ("Read from pointer after free") Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Diffstat
-rw-r--r--drivers/net/wireless/realtek/rtlwifi/base.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/net/wireless/realtek/rtlwifi/base.c b/drivers/net/wireless/realtek/rtlwifi/base.c
index e36ee592c660..208f56297a75 100644
--- a/drivers/net/wireless/realtek/rtlwifi/base.c
+++ b/drivers/net/wireless/realtek/rtlwifi/base.c
@@ -1735,12 +1735,12 @@ void rtl_scan_list_expire(struct ieee80211_hw *hw)
continue;
list_del(&entry->list);
- kfree(entry);
rtlpriv->scan_list.num--;
RT_TRACE(rtlpriv, COMP_SCAN, DBG_LOUD,
"BSSID=%pM is expire in scan list (total=%d)\n",
entry->bssid, rtlpriv->scan_list.num);
+ kfree(entry);
}
spin_unlock_irqrestore(&rtlpriv->locks.scan_list_lock, flags);
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.