From: Dan Carpenter dan.carpenter@oracle.com
commit c6dc65d885b98898bf287aaf44e020077b41769f upstream.
I've moved the check for "number_destination_params" forward a few lines to avoid leaking "cmd".
Fixes: caa575a86ec1 ('NFC: nci: fix possible crash in nci_core_conn_create')
Acked-by: Christophe Ricard christophe-h.ricard@st.com Signed-off-by: Dan Carpenter dan.carpenter@oracle.com Signed-off-by: Samuel Ortiz sameo@linux.intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- net/nfc/nci/core.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
--- a/net/nfc/nci/core.c +++ b/net/nfc/nci/core.c @@ -610,14 +610,14 @@ int nci_core_conn_create(struct nci_dev struct nci_core_conn_create_cmd *cmd; struct core_conn_create_data data;
+ if (!number_destination_params) + return -EINVAL; + data.length = params_len + sizeof(struct nci_core_conn_create_cmd); cmd = kzalloc(data.length, GFP_KERNEL); if (!cmd) return -ENOMEM;
- if (!number_destination_params) - return -EINVAL; - cmd->destination_type = destination_type; cmd->number_destination_params = number_destination_params; memcpy(cmd->params, params, params_len);