CVS: 2 files have been modified in linux/drivers/char/bluetooth.

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

The following files were modified in linux/drivers/char/bluetooth:

Name            Old version     New version     Comment
----            -----------     -----------     -------
bluetooth.c     1.148           1.149=20=20=20=20=20=20=20=20=20=20=20
hci.c           1.129           1.130=20=20=20=20=20=20=20=20=20=20=20

The accompanying log:

Fixed memory leak in hci_inquiry(), and corrected HCIINQUIRY in case
hci_inquiry() failed.


The diff of the modified file(s):

--- bluetooth.c	2001/03/14 16:23:45	1.148
+++ bluetooth.c	2001/03/15 16:27:33	1.149
@@ -476,7 +476,6 @@
 	u32 utmp;
 	s32 err =3D 0;
 	s32 size =3D _IOC_SIZE(cmd);
-	inquiry_results *inq_res;
 	bt_connection btcon;
 	u8 bd_addr[6];
=20
@@ -693,13 +692,15 @@
=20
 	case HCIINQUIRY:
 	{=20
+		inquiry_results *inq_res;
 		s32 in_param[2];
 		u8 lap[3];
=20=09=09
 		BT_DRIVER(FNC"HCINQUIRY\n");
=20=09=09
 		copy_from_user(in_param, (s32*)arg, 8);
-		inq_res =3D hci_inquiry(lap, in_param[1] , in_param[0]);
+		if (!(inq_res =3D hci_inquiry(lap, in_param[1] , in_param[0])))
+			return -ENOMEM;
 		copy_to_user((s32*)arg, inq_res, size + 6 * inq_res->nbr_of_units);
 		break;
 	}
--- hci.c	2001/03/15 10:31:11	1.129
+++ hci.c	2001/03/15 16:27:33	1.130
@@ -321,8 +321,6 @@
=20
 static s32 test_hci_hdl;
=20
-
-
 /****************** FUNCTION DEFINITION SECTION **************************=
***/
=20
 /*
@@ -347,7 +345,6 @@
 	u32 c;     /* Temporary variable for index calculations */=20=20=20
 	u8 *buf; /* Temporary pointer to the incoming data */
 	u32 tmp_data_len;
-	s32 syncing =3D 1;
=20=20
 	PRINTPKT(__FUNCTION__", ", data, count);
=20=20=20
@@ -1695,12 +1692,14 @@
 	lap[1] =3D 0x8b;
 	lap[2] =3D 0x9e;
=20
-	if (!inq_res) {
+	/* Free any previous response */
 		kfree(inq_res);
-	}
=20
 	inq_res =3D (inquiry_results*) kmalloc(sizeof(inquiry_results)
 					     + 6 * num_resp, GFP_ATOMIC);
+	if (!inq_res)
+		return NULL;
+
 	inq_res->nbr_of_units =3D 0;
=20
 	c_pkt.type =3D CMD_PKT;
@@ -1715,11 +1714,12 @@
=20
 	tmp =3D send_inq_cmd_block((u8*) &c_pkt ,c_pkt.len + CMD_HDR_LEN + HCI_HD=
R_LEN);
=20
-	if ( tmp >=3D 0) {
-		return inq_res;
-	} else {
-		return NULL;
+	if (tmp < 0) {
+		kfree(inq_res);
+		inq_res =3D NULL;
 	}
+
+	return inq_res;
 }
=20
 /* This function will cause the Link Manager to create a connection to the
@@ -3254,7 +3254,7 @@
 	if (cmd_buf.count =3D=3D NBR_CMD_BUFS) {
 		D_ERR("insert_cmd: WARNING Command buffer full !\n");
 		sti();
-		return -1;
+		return -ENOMEM;
 	}
=20
 	/* Allocate memory (freed from send_cmd_queue) */


