diff options
| author | Jiri Kosina <jkosina@suse.cz> | 2007-03-01 12:02:52 +0100 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@suse.de> | 2007-03-09 10:50:25 -0800 |
| commit | 01f919ed97b0bff878b930de3971214ad3d890a5 (patch) | |
| tree | 7e76bd64aa3e63b5838802ca24f56afda23c1a2f /drivers | |
| parent | e37713bb2cff2ed51496362e89a38ce143ea5a80 (diff) | |
HID: fix possible double-free on error path in hid parser
HID: fix possible double-free on error path in hid parser
Freeing of device->collection is properly done in hid_free_device() (as
this function is supposed to free all the device resources and could be
called from transport specific code, e.g. usb_hid_configure()).
Remove all kfree() calls preceeding the hid_free_device() call.
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/hid/hid-core.c | 5 |
1 files changed, 0 insertions, 5 deletions
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index 49f18f5b251..5cb2500128e 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -670,7 +670,6 @@ struct hid_device *hid_parse_report(__u8 *start, unsigned size) if (item.format != HID_ITEM_FORMAT_SHORT) { dbg("unexpected long global item"); - kfree(device->collection); hid_free_device(device); kfree(parser); return NULL; @@ -679,7 +678,6 @@ struct hid_device *hid_parse_report(__u8 *start, unsigned size) if (dispatch_type[item.type](parser, &item)) { dbg("item %u %u %u %u parsing failed\n", item.format, (unsigned)item.size, (unsigned)item.type, (unsigned)item.tag); - kfree(device->collection); hid_free_device(device); kfree(parser); return NULL; @@ -688,14 +686,12 @@ struct hid_device *hid_parse_report(__u8 *start, unsigned size) if (start == end) { if (parser->collection_stack_ptr) { dbg("unbalanced collection at end of report description"); - kfree(device->collection); hid_free_device(device); kfree(parser); return NULL; } if (parser->local.delimiter_depth) { dbg("unbalanced delimiter at end of report description"); - kfree(device->collection); hid_free_device(device); kfree(parser); return NULL; @@ -706,7 +702,6 @@ struct hid_device *hid_parse_report(__u8 *start, unsigned size) } dbg("item fetching failed at offset %d\n", (int)(end - start)); - kfree(device->collection); hid_free_device(device); kfree(parser); return NULL; |