Chuck Ebbert b9204c
From: David S. Miller <davem@davemloft.net>
Chuck Ebbert b9204c
Date: Tue, 31 Aug 2010 01:35:24 +0000 (-0700)
Chuck Ebbert b9204c
Subject: irda: Correctly clean up self->ias_obj on irda_bind() failure.
Chuck Ebbert b9204c
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-2.6.git;a=commitdiff_plain;h=628e300cccaa628d8fb92aa28cb7530a3d5f2257
Chuck Ebbert b9204c
Chuck Ebbert b9204c
irda: Correctly clean up self->ias_obj on irda_bind() failure.
Chuck Ebbert b9204c
Chuck Ebbert b9204c
If irda_open_tsap() fails, the irda_bind() code tries to destroy
Chuck Ebbert b9204c
the ->ias_obj object by hand, but does so wrongly.
Chuck Ebbert b9204c
Chuck Ebbert b9204c
In particular, it fails to a) release the hashbin attached to the
Chuck Ebbert b9204c
object and b) reset the self->ias_obj pointer to NULL.
Chuck Ebbert b9204c
Chuck Ebbert b9204c
Fix both problems by using irias_delete_object() and explicitly
Chuck Ebbert b9204c
setting self->ias_obj to NULL, just as irda_release() does.
Chuck Ebbert b9204c
Chuck Ebbert b9204c
Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
Chuck Ebbert b9204c
Signed-off-by: David S. Miller <davem@davemloft.net>
Chuck Ebbert b9204c
---
Chuck Ebbert b9204c
Chuck Ebbert b9204c
diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
Chuck Ebbert b9204c
index 79986a6..fd55b51 100644
Chuck Ebbert b9204c
--- a/net/irda/af_irda.c
Chuck Ebbert b9204c
+++ b/net/irda/af_irda.c
Chuck Ebbert b9204c
@@ -824,8 +824,8 @@ static int irda_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
Chuck Ebbert b9204c
 
Chuck Ebbert b9204c
 	err = irda_open_tsap(self, addr->sir_lsap_sel, addr->sir_name);
Chuck Ebbert b9204c
 	if (err < 0) {
Chuck Ebbert b9204c
-		kfree(self->ias_obj->name);
Chuck Ebbert b9204c
-		kfree(self->ias_obj);
Chuck Ebbert b9204c
+		irias_delete_object(self->ias_obj);
Chuck Ebbert b9204c
+		self->ias_obj = NULL;
Chuck Ebbert b9204c
 		return err;
Chuck Ebbert b9204c
 	}
Chuck Ebbert b9204c