mISDN: Fix memory leak in dsp_pipeline_build()
authorAlexey Khoroshilov <khoroshilov@ispras.ru>
Fri, 4 Mar 2022 18:25:36 +0000 (21:25 +0300)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 16 Mar 2022 13:23:36 +0000 (14:23 +0100)
[ Upstream commit c6a502c2299941c8326d029cfc8a3bc8a4607ad5 ]

dsp_pipeline_build() allocates dup pointer by kstrdup(cfg),
but then it updates dup variable by strsep(&dup, "|").
As a result when it calls kfree(dup), the dup variable contains NULL.

Found by Linux Driver Verification project (linuxtesting.org) with SVACE.

Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Fixes: 960366cf8dbb ("Add mISDN DSP")
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
drivers/isdn/mISDN/dsp_pipeline.c

index e11ca6bbc7f41d559ace1fabfa1f0527b7e32318..c3b2c99b5cd5ceaf12c9fc7dcd929840ec6b3870 100644 (file)
@@ -192,7 +192,7 @@ void dsp_pipeline_destroy(struct dsp_pipeline *pipeline)
 int dsp_pipeline_build(struct dsp_pipeline *pipeline, const char *cfg)
 {
        int found = 0;
-       char *dup, *tok, *name, *args;
+       char *dup, *next, *tok, *name, *args;
        struct dsp_element_entry *entry, *n;
        struct dsp_pipeline_entry *pipeline_entry;
        struct mISDN_dsp_element *elem;
@@ -203,10 +203,10 @@ int dsp_pipeline_build(struct dsp_pipeline *pipeline, const char *cfg)
        if (!list_empty(&pipeline->list))
                _dsp_pipeline_destroy(pipeline);
 
-       dup = kstrdup(cfg, GFP_ATOMIC);
+       dup = next = kstrdup(cfg, GFP_ATOMIC);
        if (!dup)
                return 0;
-       while ((tok = strsep(&dup, "|"))) {
+       while ((tok = strsep(&next, "|"))) {
                if (!strlen(tok))
                        continue;
                name = strsep(&tok, "(");