Commit c0181d420cc1a506ca4418ce90e2ad89831eee2c
Committed by
David S. Miller
David S. Miller
1 parent
a91eba5b9d
Exists in
master
and in
39 other branches
ax25: Fix ax25_cb refcounting in ax25_ctl_ioctl
Use ax25_cb_put after ax25_find_cb in ax25_ctl_ioctl. Reported-by: Bernard Pidoux F6BVP <f6bvp@free.fr> Signed-off-by: Jarek Poplawski <jarkao2@gmail.com> Reviewed-by: Ralf Baechle <ralf@linux-mips.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Showing 1 changed file with 17 additions and 10 deletions Side-by-side Diff
net/ax25/af_ax25.c
| ... | ... | @@ -358,6 +358,7 @@ |
| 358 | 358 | ax25_dev *ax25_dev; |
| 359 | 359 | ax25_cb *ax25; |
| 360 | 360 | unsigned int k; |
| 361 | + int ret = 0; | |
| 361 | 362 | |
| 362 | 363 | if (copy_from_user(&ax25_ctl, arg, sizeof(ax25_ctl))) |
| 363 | 364 | return -EFAULT; |
| 364 | 365 | |
| 365 | 366 | |
| 366 | 367 | |
| 367 | 368 | |
| 368 | 369 | |
| 369 | 370 | |
| 370 | 371 | |
| 371 | 372 | |
| 372 | 373 | |
| ... | ... | @@ -388,57 +389,63 @@ |
| 388 | 389 | case AX25_WINDOW: |
| 389 | 390 | if (ax25->modulus == AX25_MODULUS) { |
| 390 | 391 | if (ax25_ctl.arg < 1 || ax25_ctl.arg > 7) |
| 391 | - return -EINVAL; | |
| 392 | + goto einval_put; | |
| 392 | 393 | } else { |
| 393 | 394 | if (ax25_ctl.arg < 1 || ax25_ctl.arg > 63) |
| 394 | - return -EINVAL; | |
| 395 | + goto einval_put; | |
| 395 | 396 | } |
| 396 | 397 | ax25->window = ax25_ctl.arg; |
| 397 | 398 | break; |
| 398 | 399 | |
| 399 | 400 | case AX25_T1: |
| 400 | 401 | if (ax25_ctl.arg < 1) |
| 401 | - return -EINVAL; | |
| 402 | + goto einval_put; | |
| 402 | 403 | ax25->rtt = (ax25_ctl.arg * HZ) / 2; |
| 403 | 404 | ax25->t1 = ax25_ctl.arg * HZ; |
| 404 | 405 | break; |
| 405 | 406 | |
| 406 | 407 | case AX25_T2: |
| 407 | 408 | if (ax25_ctl.arg < 1) |
| 408 | - return -EINVAL; | |
| 409 | + goto einval_put; | |
| 409 | 410 | ax25->t2 = ax25_ctl.arg * HZ; |
| 410 | 411 | break; |
| 411 | 412 | |
| 412 | 413 | case AX25_N2: |
| 413 | 414 | if (ax25_ctl.arg < 1 || ax25_ctl.arg > 31) |
| 414 | - return -EINVAL; | |
| 415 | + goto einval_put; | |
| 415 | 416 | ax25->n2count = 0; |
| 416 | 417 | ax25->n2 = ax25_ctl.arg; |
| 417 | 418 | break; |
| 418 | 419 | |
| 419 | 420 | case AX25_T3: |
| 420 | 421 | if (ax25_ctl.arg < 0) |
| 421 | - return -EINVAL; | |
| 422 | + goto einval_put; | |
| 422 | 423 | ax25->t3 = ax25_ctl.arg * HZ; |
| 423 | 424 | break; |
| 424 | 425 | |
| 425 | 426 | case AX25_IDLE: |
| 426 | 427 | if (ax25_ctl.arg < 0) |
| 427 | - return -EINVAL; | |
| 428 | + goto einval_put; | |
| 428 | 429 | ax25->idle = ax25_ctl.arg * 60 * HZ; |
| 429 | 430 | break; |
| 430 | 431 | |
| 431 | 432 | case AX25_PACLEN: |
| 432 | 433 | if (ax25_ctl.arg < 16 || ax25_ctl.arg > 65535) |
| 433 | - return -EINVAL; | |
| 434 | + goto einval_put; | |
| 434 | 435 | ax25->paclen = ax25_ctl.arg; |
| 435 | 436 | break; |
| 436 | 437 | |
| 437 | 438 | default: |
| 438 | - return -EINVAL; | |
| 439 | + goto einval_put; | |
| 439 | 440 | } |
| 440 | 441 | |
| 441 | - return 0; | |
| 442 | +out_put: | |
| 443 | + ax25_cb_put(ax25); | |
| 444 | + return ret; | |
| 445 | + | |
| 446 | +einval_put: | |
| 447 | + ret = -EINVAL; | |
| 448 | + goto out_put; | |
| 442 | 449 | } |
| 443 | 450 | |
| 444 | 451 | static void ax25_fillin_cb_from_dev(ax25_cb *ax25, ax25_dev *ax25_dev) |