[PATCH] prism54 Fix memory leaks

* Change the "version" OID to what it should be.
* Fix memory leaks - mgt_get_request always returns
* allocated memory for non-int OIDS (with an exception -
* keep reading). If the caller checks the return and itself
* returns, then it must free memory.
* However, it is possible to return from mgt_get_request
* early (!priv->mib). In this case, weird things can happen
* in isl_ioctl. Quick fix, at least to force an oops, is
* to set the union value to NULL. The real fix is to
* recode all mgt_get_request calls in isl_ioctl.

diff --git a/drivers/net/wireless/prism54/isl_ioctl.c b/drivers/net/wireless/prism54/isl_ioctl.c
index 3ea6515e3428f1ef9de17f0db39943361b491c11..6ae522a08a2fb5d568e771f7deb07dff04bf8bfd 100644 (file)
--- a/drivers/net/wireless/prism54/isl_ioctl.c
+++ b/drivers/net/wireless/prism54/isl_ioctl.c
@@ -820,9 +820,11 @@ prism54_set_rate(struct net_device *ndev,
                return mgt_set_request(priv, DOT11_OID_PROFILES, 0, &profile);
        }
 
-       if ((ret =
-            mgt_get_request(priv, DOT11_OID_SUPPORTEDRATES, 0, NULL, &r)))
+       ret = mgt_get_request(priv, DOT11_OID_SUPPORTEDRATES, 0, NULL, &r);
+       if (ret) {
+               kfree(r.ptr);
                return ret;
+       }
 
        rate = (u32) (vwrq->value / 500000);
        data = r.ptr;
@@ -840,6 +842,7 @@ prism54_set_rate(struct net_device *ndev,
        }
 
        if (!data[i]) {
+               kfree(r.ptr);
                return -EINVAL;
        }
 
@@ -888,8 +891,11 @@ prism54_get_rate(struct net_device *ndev,
        vwrq->value = r.u * 500000;
 
        /* request the device for the enabled rates */
-       if ((rvalue = mgt_get_request(priv, DOT11_OID_RATES, 0, NULL, &r)))
+       rvalue = mgt_get_request(priv, DOT11_OID_RATES, 0, NULL, &r);
+       if (rvalue) {
+               kfree(r.ptr);
                return rvalue;
+       }
        data = r.ptr;
        vwrq->fixed = (data[0] != 0) && (data[1] == 0);
        kfree(r.ptr);

diff --git a/drivers/net/wireless/prism54/oid_mgt.c b/drivers/net/wireless/prism54/oid_mgt.c
index c4ec1e4878e082761bfcf8e3fe2d7570bbaf3f76..333926d324ba20cad7f2d6fb325b9ec0a2522b8a 100644 (file)
--- a/drivers/net/wireless/prism54/oid_mgt.c
+++ b/drivers/net/wireless/prism54/oid_mgt.c
@@ -219,7 +219,7 @@ struct oid_t isl_oid[] = {
        OID_UNKNOWN(OID_INL_MEMORY, 0xFF020002),
        OID_U32_C(OID_INL_MODE, 0xFF020003),
        OID_UNKNOWN(OID_INL_COMPONENT_NR, 0xFF020004),
-       OID_UNKNOWN(OID_INL_VERSION, 0xFF020005),
+       OID_STRUCT(OID_INL_VERSION, 0xFF020005, u8[8], OID_TYPE_RAW),
        OID_UNKNOWN(OID_INL_INTERFACE_ID, 0xFF020006),
        OID_UNKNOWN(OID_INL_COMPONENT_ID, 0xFF020007),
        OID_U32_C(OID_INL_CONFIG, 0xFF020008),
@@ -481,6 +481,8 @@ mgt_get_request(islpci_private *priv, enum oid_num_t n, int extra, void *data,
        BUG_ON(OID_NUM_LAST <= n);
        BUG_ON(extra > isl_oid[n].range);
 
+       res->ptr = NULL;
+
        if (!priv->mib)
                /* memory has been freed */
                return -1;