Commit cafd472a authored by Peilin Ye's avatar Peilin Ye Committed by Marcel Holtmann
Browse files

Bluetooth: Fix memory leak in read_adv_mon_features() 



read_adv_mon_features() is leaking memory. Free `rp` before returning.

Fixes: e5e1e7fd ("Bluetooth: Add handler of MGMT_OP_READ_ADV_MONITOR_FEATURES")
Reported-and-tested-by: default avatar <syzbot+f7f6e564f4202d8601c6@syzkaller.appspotmail.com>
Link: https://syzkaller.appspot.com/bug?extid=f7f6e564f4202d8601c6


Signed-off-by: default avatarPeilin Ye <yepeilin.cs@gmail.com>
Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
parent 2041a3f5

net/bluetooth/mgmt.c

+8 −4
Original line number Diff line number Diff line
@@ -4157,7 +4157,7 @@ static int read_adv_mon_features(struct sock *sk, struct hci_dev *hdev, 
{

	struct adv_monitor *monitor = NULL;

	struct mgmt_rp_read_adv_monitor_features *rp = NULL;

	int handle;

	int handle, err;

	size_t rp_size = 0;

	__u32 supported = 0;

	__u16 num_handles = 0;
@@ -4192,9 +4192,13 @@ static int read_adv_mon_features(struct sock *sk, struct hci_dev *hdev, 
	if (num_handles)

		memcpy(&rp->handles, &handles, (num_handles * sizeof(u16)));



	return mgmt_cmd_complete(sk, hdev->id,

	err = mgmt_cmd_complete(sk, hdev->id,

				MGMT_OP_READ_ADV_MONITOR_FEATURES,

				MGMT_STATUS_SUCCESS, rp, rp_size);



	kfree(rp);



	return err;

}



static int add_adv_patterns_monitor(struct sock *sk, struct hci_dev *hdev,