linux/drivers/bluetooth
Kieran Bingham 517a5460a9 Bluetooth: btmrvl: skb resource leak, and double free.
if btmrvl_tx_pkt() is called, and the branch
  if (skb_headroom(skb) < BTM_HEADER_LEN)
evaluates positive, a new skb is allocated via skb_realloc_headroom.

The original skb is stored in a tmp variable, before being free'd.
However on success, the new skb, is not free'd, nor is it
returned to the caller which will then double-free the original skb.

This issue exists from the original driver submission in
 commit: #132ff4e5fa8dfb71a7d99902f88043113947e972

If this code path had been alive, it would have been noted from the
double-free causing a panic.

All skb's here should be allocated through bt_skb_alloc which
adds 8 bytes as headroom, which is plenty against the 4 bytes
pushed on by this driver.

This code path is dead, and buggy at the same time, so the cleanest
approach is to remove the affected branch.

Reported by coverity (CID 113422)

Signed-off-by: Kieran Bingham <kieranbingham@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2015-09-17 13:20:02 +02:00
..
ath3k.c Bluetooth: ath3k: Add support of 04ca:300d AR3012 device 2015-06-18 21:00:06 +03:00
bcm203x.c Bluetooth: Use devm_kzalloc in bcm203x.c file. 2012-08-06 15:03:00 -03:00
bfusb.c Bluetooth: bfusb: Coding style fix reported by coccinelle 2015-07-23 17:10:49 +02:00
bluecard_cs.c Bluetooth: Remove typedef bluecard_info_t 2014-08-14 08:49:25 +02:00
bpa10x.c Bluetooth: Declare bpa10x_table[] as const 2013-10-11 17:05:22 +02:00
bt3c_cs.c Bluetooth: bt3c_cs: Fix coding style 2015-07-23 17:10:50 +02:00
btbcm.c Bluetooth: btbcm: Add BCM4330B1 UART device 2015-07-30 13:18:08 +02:00
btbcm.h Bluetooth: btbcm: Support the BCM4354 Bluetooth UART device 2015-06-17 18:56:53 +02:00
btintel.c Bluetooth: btintel: Add MODULE_FIRMWARE entries for iBT 3.0 controllers 2015-08-28 21:00:37 +02:00
btintel.h Bluetooth: btintel: Create common function for Intel version info 2015-07-23 17:10:50 +02:00
btmrvl_debugfs.c Bluetooth: btmrvl add firmware dump support 2014-12-03 17:35:51 +01:00
btmrvl_drv.h Bluetooth: btmrvl: Coding style Fix for btmrvl header 2015-07-27 10:30:32 +03:00
btmrvl_main.c Bluetooth: btmrvl: skb resource leak, and double free. 2015-09-17 13:20:02 +02:00
btmrvl_sdio.c Bluetooth: btmrvl: change device pointer passed to dev_coredumpv 2015-08-28 21:00:36 +02:00
btmrvl_sdio.h Bluetooth: btmrvl add firmware dump support 2014-12-03 17:35:51 +01:00
btqca.c Bluetooth: btqca: Introduce generic QCA ROME support 2015-08-10 23:52:20 +02:00
btqca.h Bluetooth: btqca: Introduce generic QCA ROME support 2015-08-10 23:52:20 +02:00
btrtl.c Bluetooth: btrtl: Create separate module for Realtek BT driver 2015-05-14 12:04:12 +02:00
btrtl.h Bluetooth: btrtl: Create separate module for Realtek BT driver 2015-05-14 12:04:12 +02:00
btsdio.c Bluetooth: Use MD SET register for changing SDIO Type-B to Type-A 2013-12-29 21:31:07 +02:00
btuart_cs.c Bluetooth: Remove typedef btuart_info_t 2014-08-14 08:49:25 +02:00
btusb.c Bluetooth: btusb: Detect new kind of counterfeit CSR controllers 2015-09-17 13:20:00 +02:00
btwilink.c Bluetooth: btwilink: remove DEBUG define 2015-05-13 23:00:51 +02:00
dtl1_cs.c Bluetooth: dtl1_cs: Fixed coding style 2015-07-23 17:10:49 +02:00
hci_ath.c Bluetooth: hci_uart: Fix dereferencing of ERR_PTR 2015-06-17 14:21:08 +02:00
hci_bcm.c Bluetooth: hci_bcm: Use bt_dev logging helpers 2015-09-17 13:20:01 +02:00
hci_bcsp.c Bluetooth: hci_bcsp: Clean up code Fix 2015-06-09 13:59:09 +02:00
hci_h4.c Bluetooth: hci_uart: Fix zero len data packet reception issue 2015-08-28 21:00:37 +02:00
hci_h5.c Bluetooth: hci_h5: Cleaned up coding style warnings 2015-07-27 10:30:42 +03:00
hci_intel.c Bluetooth: hci_intel: Show error in case of invalid LPM packet size 2015-09-17 13:20:02 +02:00
hci_ldisc.c Bluetooth: hciuart: Add support QCA chipset for UART 2015-08-10 23:52:20 +02:00
hci_ll.c Bluetooth: hci_uart: Remove the manual protocol init message 2015-04-07 18:47:10 +02:00
hci_qca.c Bluetooth: hci_qca: Fix a few tab vs spaces issues 2015-09-17 13:20:01 +02:00
hci_uart.h Bluetooth: hciuart: Add support QCA chipset for UART 2015-08-10 23:52:20 +02:00
hci_vhci.c Bluetooth: vhci: Clean up coding style fix 2015-06-04 10:02:04 +07:00
Kconfig Bluetooth: hciuart: Add support QCA chipset for UART 2015-08-10 23:52:20 +02:00
Makefile Bluetooth: hciuart: Add support QCA chipset for UART 2015-08-10 23:52:20 +02:00