[PATCH] Staging: bcm: avoid use-after-free in bcm_char_ioctl()

Xi Wang xi.wang at gmail.com
Wed Mar 6 21:32:25 UTC 2013


Free pBulkBuffer (pvBuffer) after pBulkBuffer->Register.

Signed-off-by: Xi Wang <xi.wang at gmail.com>
---
 drivers/staging/bcm/Bcmchar.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c
index 491e2bf..35641e5 100644
--- a/drivers/staging/bcm/Bcmchar.c
+++ b/drivers/staging/bcm/Bcmchar.c
@@ -1148,8 +1148,8 @@ cntrlEnd:
 
 		if (((ULONG)pBulkBuffer->Register & 0x0F000000) != 0x0F000000 ||
 			((ULONG)pBulkBuffer->Register & 0x3)) {
-			kfree(pvBuffer);
 			BCM_DEBUG_PRINT (Adapter, DBG_TYPE_PRINTK, 0, 0, "WRM Done On invalid Address : %x Access Denied.\n", (int)pBulkBuffer->Register);
+			kfree(pvBuffer);
 			Status = -EINVAL;
 			break;
 		}
-- 
1.7.10.4




More information about the devel mailing list