From d87ff58fda926fe5cb01214cccf1c72422ac776d Mon Sep 17 00:00:00 2001 From: Dan Carpenter <error27@gmail.com> Date: Mon, 26 Apr 2010 23:20:12 +0000 Subject: [PATCH] ipheth: potential null dereferences on error path MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The calls to usb_free_buffer() dereference rx_urb and tx_urb in the parameter list but those could be NULL. Signed-off-by: Dan Carpenter <error27@gmail.com> Acked-by: L. Alberto Giménez <agimenez@sysvalve.es> Signed-off-by: David S. Miller <davem@davemloft.net> --- drivers/net/usb/ipheth.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c index fd1033130a81..418825d26f90 100644 --- a/drivers/net/usb/ipheth.c +++ b/drivers/net/usb/ipheth.c @@ -122,25 +122,25 @@ static int ipheth_alloc_urbs(struct ipheth_device *iphone) tx_urb = usb_alloc_urb(0, GFP_KERNEL); if (tx_urb == NULL) - goto error; + goto error_nomem; rx_urb = usb_alloc_urb(0, GFP_KERNEL); if (rx_urb == NULL) - goto error; + goto free_tx_urb; tx_buf = usb_buffer_alloc(iphone->udev, IPHETH_BUF_SIZE, GFP_KERNEL, &tx_urb->transfer_dma); if (tx_buf == NULL) - goto error; + goto free_rx_urb; rx_buf = usb_buffer_alloc(iphone->udev, IPHETH_BUF_SIZE, GFP_KERNEL, &rx_urb->transfer_dma); if (rx_buf == NULL) - goto error; + goto free_tx_buf; iphone->tx_urb = tx_urb; @@ -149,13 +149,14 @@ static int ipheth_alloc_urbs(struct ipheth_device *iphone) iphone->rx_buf = rx_buf; return 0; -error: - usb_buffer_free(iphone->udev, IPHETH_BUF_SIZE, rx_buf, - rx_urb->transfer_dma); +free_tx_buf: usb_buffer_free(iphone->udev, IPHETH_BUF_SIZE, tx_buf, tx_urb->transfer_dma); +free_rx_urb: usb_free_urb(rx_urb); +free_tx_urb: usb_free_urb(tx_urb); +error_nomem: return -ENOMEM; } -- GitLab