[PATCH master] staging: r8188eu: fix a memory leak in rtw_mp_pwrtrk()

stable inclusion category: bugfix bugzilla: NA CVE: NA

Line 5968 (#1) allocates a memory chunk for input by kmalloc(). Line 5973 (#2), line 5989 (#4) and line 5994 (#5) free the input before the function returns while line 5986 (#3) forget to free it, which will lead to a memory leak. This bug influences all stable versions from 5.15 to 5.15.7.

We should kfree() input in line 5986 (#3).

5960 static int rtw_mp_pwrtrk(struct net_device *dev, 5961 struct iw_request_info *info, 5962 struct iw_point *wrqu, char *extra) 5963 { 5968 char *input = kmalloc(wrqu->length, GFP_KERNEL); // #1: kmalloc space 5970 if (!input) 5971 return -ENOMEM; 5972 if (copy_from_user(input, wrqu->pointer, wrqu->length)) { 5973 kfree(input); // #2: kfree space 5974 return -EFAULT; 5975 }

5980 if (strncmp(input, "stop", 4) == 0) { 5981 enable = 0; 5982 sprintf(extra, "mp tx power tracking stop"); 5983 } else if (sscanf(input, "ther =%d", &thermal)) { 5984 ret = Hal_SetThermalMeter(padapter, (u8)thermal); 5985 if (ret == _FAIL) 5986 return -EPERM; // #3: missing kfree 5987 sprintf(extra, "mp tx power tracking start, target value =%d ok ", thermal); 5988 } else { 5989 kfree(input); // #4: kfree space 5990 return -EINVAL; 5991 }

5994 kfree(input); // #5: kfree space

6000 return 0; 6001 }

Signed-off-by: Jianglei Nie niejianglei2021@163.com --- drivers/staging/r8188eu/os_dep/ioctl_linux.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/r8188eu/os_dep/ioctl_linux.c b/drivers/staging/r8188eu/os_dep/ioctl_linux.c index 0eccce57c63a..906a57eae1af 100644 --- a/drivers/staging/r8188eu/os_dep/ioctl_linux.c +++ b/drivers/staging/r8188eu/os_dep/ioctl_linux.c @@ -5982,8 +5982,10 @@ static int rtw_mp_pwrtrk(struct net_device *dev, sprintf(extra, "mp tx power tracking stop"); } else if (sscanf(input, "ther =%d", &thermal)) { ret = Hal_SetThermalMeter(padapter, (u8)thermal); - if (ret == _FAIL) + if (ret == _FAIL) { + kfree(input); return -EPERM; + } sprintf(extra, "mp tx power tracking start, target value =%d ok ", thermal); } else { kfree(input);