Skip to content

Commit

Permalink
net:nfc:digital: Fix a double free in digital_tg_recv_dep_req
Browse files Browse the repository at this point in the history 
In digital_tg_recv_dep_req, it calls nfc_tm_data_received(..,resp).
If nfc_tm_data_received() failed, the callee will free the resp via
kfree_skb() and return error. But in the exit branch, the resp
will be freed again.

My patch sets resp to NULL if nfc_tm_data_received() failed, to
avoid the double free.

Fixes: 1c7a4c2 ("NFC Digital: Add target NFC-DEP support")
Signed-off-by: Lv Yunlong <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
  • Loading branch information
@Yunlongs @davem330
Yunlongs authored and davem330 committed Apr 27, 2021
1 parent 0711459 commit 7525858
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions net/nfc/digital_dep.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1273,6 +1273,8 @@ static void digital_tg_recv_dep_req(struct nfc_digital_dev *ddev, void *arg,
}

rc = nfc_tm_data_received(ddev->nfc_dev, resp);
if (rc)
resp = NULL;

exit:
kfree_skb(ddev->chaining_skb);
Expand Down

0 comments on commit 7525858

Please sign in to comment.