From f9126e93395a8306b8b98a035697b5bb40946a71 Mon Sep 17 00:00:00 2001 From: Szymon Janc Date: Tue, 7 Aug 2012 14:22:30 +0200 Subject: [PATCH] nfctype3: Fix possible NULL pointer dereference in nfctype3_recv_UID Check if memory allocation succeed before dereferencing pointer and free any allocated memory before returning. This also fix memory leak if call to near_adapter_send failed. --- plugins/nfctype3.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/plugins/nfctype3.c b/plugins/nfctype3.c index 6fdf664..eef85f6 100644 --- a/plugins/nfctype3.c +++ b/plugins/nfctype3.c @@ -352,7 +352,7 @@ out: static int nfctype3_recv_UID(uint8_t *resp, int length, void *data) { struct t3_cookie *rcv_cookie = data; - struct t3_cookie *snd_cookie; + struct t3_cookie *snd_cookie = NULL; int err = 0; struct type3_cmd cmd; @@ -368,6 +368,11 @@ static int nfctype3_recv_UID(uint8_t *resp, int length, void *data) goto out; snd_cookie = g_try_malloc0(sizeof(struct t3_cookie)); + if (snd_cookie == NULL) { + err = -ENOMEM; + goto out; + } + snd_cookie->adapter_idx = rcv_cookie->adapter_idx; snd_cookie->target_idx = rcv_cookie->target_idx; snd_cookie->cb = rcv_cookie->cb; @@ -380,9 +385,13 @@ static int nfctype3_recv_UID(uint8_t *resp, int length, void *data) (uint8_t *)&cmd, cmd.len, nfctype3_recv_block_0, snd_cookie); out: - if (err < 0 && rcv_cookie->cb) - rcv_cookie->cb(rcv_cookie->adapter_idx, - rcv_cookie->target_idx, err); + if (err < 0) { + if (rcv_cookie->cb) + rcv_cookie->cb(rcv_cookie->adapter_idx, + rcv_cookie->target_idx, err); + + g_free(snd_cookie); + } t3_cookie_release(rcv_cookie); -- 2.7.4