[Patch] Possible double free in net/bluetooth/sco.c

From: Eric Sesterhenn
Date: Tue Apr 04 2006 - 15:25:40 EST

Next message: Zachary Amsden: "Re: 2.6.17-rc1-mm1: KEXEC became SMP-only"
Previous message: Mark Bellon: "[PATCH] MPBL0010 driver sysfs permissions wide open"
Next in thread: David S. Miller: "Re: [Patch] Possible double free in net/bluetooth/sco.c"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

hi,

this fixes coverity bug id #1068.
hci_send_sco() frees skb if (skb->len > hdev->sco_mtu).
Since it returns a negative error value only in this case, we
can directly return here.

Signed-off-by: Eric Sesterhenn <snakebyte@xxxxxx>

--- linux-2.6.17-rc1/net/bluetooth/sco.c.orig 2006-04-04 21:19:51.000000000 +0200
+++ linux-2.6.17-rc1/net/bluetooth/sco.c 2006-04-04 21:20:34.000000000 +0200
@@ -255,7 +255,7 @@ static inline int sco_send_frame(struct
}

if ((err = hci_send_sco(conn->hcon, skb)) < 0)
- goto fail;
+ return err;

return count;

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Zachary Amsden: "Re: 2.6.17-rc1-mm1: KEXEC became SMP-only"
Previous message: Mark Bellon: "[PATCH] MPBL0010 driver sysfs permissions wide open"
Next in thread: David S. Miller: "Re: [Patch] Possible double free in net/bluetooth/sco.c"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]