diff options
author | Margit Schubert-While <margitsw@t-online.de> | 2004-08-10 08:51:37 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@ppc970.osdl.org> | 2004-08-10 08:51:37 -0400 |
commit | d716e082ef6078100f96807434a8269b707149ca (patch) | |
tree | 017e2005e962323ab7527b274bf68e980d1fedf3 /drivers | |
parent | 0391355e3cb86e31306c5a18da9ef7169cbad5a9 (diff) | |
download | history-d716e082ef6078100f96807434a8269b707149ca.tar.gz |
[PATCH] prism54 Fix memory leaks
* Change the "version" OID to what it should be.
* Fix memory leaks - mgt_get_request always returns
* allocated memory for non-int OIDS (with an exception -
* keep reading). If the caller checks the return and itself
* returns, then it must free memory.
* However, it is possible to return from mgt_get_request
* early (!priv->mib). In this case, weird things can happen
* in isl_ioctl. Quick fix, at least to force an oops, is
* to set the union value to NULL. The real fix is to
* recode all mgt_get_request calls in isl_ioctl.
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/net/wireless/prism54/isl_ioctl.c | 12 | ||||
-rw-r--r-- | drivers/net/wireless/prism54/oid_mgt.c | 4 |
2 files changed, 12 insertions, 4 deletions
diff --git a/drivers/net/wireless/prism54/isl_ioctl.c b/drivers/net/wireless/prism54/isl_ioctl.c index 3ea6515e3428f1..6ae522a08a2fb5 100644 --- a/drivers/net/wireless/prism54/isl_ioctl.c +++ b/drivers/net/wireless/prism54/isl_ioctl.c @@ -820,9 +820,11 @@ prism54_set_rate(struct net_device *ndev, return mgt_set_request(priv, DOT11_OID_PROFILES, 0, &profile); } - if ((ret = - mgt_get_request(priv, DOT11_OID_SUPPORTEDRATES, 0, NULL, &r))) + ret = mgt_get_request(priv, DOT11_OID_SUPPORTEDRATES, 0, NULL, &r); + if (ret) { + kfree(r.ptr); return ret; + } rate = (u32) (vwrq->value / 500000); data = r.ptr; @@ -840,6 +842,7 @@ prism54_set_rate(struct net_device *ndev, } if (!data[i]) { + kfree(r.ptr); return -EINVAL; } @@ -888,8 +891,11 @@ prism54_get_rate(struct net_device *ndev, vwrq->value = r.u * 500000; /* request the device for the enabled rates */ - if ((rvalue = mgt_get_request(priv, DOT11_OID_RATES, 0, NULL, &r))) + rvalue = mgt_get_request(priv, DOT11_OID_RATES, 0, NULL, &r); + if (rvalue) { + kfree(r.ptr); return rvalue; + } data = r.ptr; vwrq->fixed = (data[0] != 0) && (data[1] == 0); kfree(r.ptr); diff --git a/drivers/net/wireless/prism54/oid_mgt.c b/drivers/net/wireless/prism54/oid_mgt.c index c4ec1e4878e082..333926d324ba20 100644 --- a/drivers/net/wireless/prism54/oid_mgt.c +++ b/drivers/net/wireless/prism54/oid_mgt.c @@ -219,7 +219,7 @@ struct oid_t isl_oid[] = { OID_UNKNOWN(OID_INL_MEMORY, 0xFF020002), OID_U32_C(OID_INL_MODE, 0xFF020003), OID_UNKNOWN(OID_INL_COMPONENT_NR, 0xFF020004), - OID_UNKNOWN(OID_INL_VERSION, 0xFF020005), + OID_STRUCT(OID_INL_VERSION, 0xFF020005, u8[8], OID_TYPE_RAW), OID_UNKNOWN(OID_INL_INTERFACE_ID, 0xFF020006), OID_UNKNOWN(OID_INL_COMPONENT_ID, 0xFF020007), OID_U32_C(OID_INL_CONFIG, 0xFF020008), @@ -481,6 +481,8 @@ mgt_get_request(islpci_private *priv, enum oid_num_t n, int extra, void *data, BUG_ON(OID_NUM_LAST <= n); BUG_ON(extra > isl_oid[n].range); + res->ptr = NULL; + if (!priv->mib) /* memory has been freed */ return -1; |