From 6b5147af538ea81c8c407c9d7298117bb6bcdaf6 Mon Sep 17 00:00:00 2001
From: Ben Rosenfeld <ben.rosenfeld@intel.com>
Date: Wed, 17 Jun 2015 16:16:35 +0300
Subject: [PATCH] P2P: Fix memory leak in p2p_process_nfc_connection_handover()

p2p_process_nfc_connection_handover() allocates msg memory in the parser
and might return before memory is released if the received message is
not valid.

Signed-off-by: Ben Rosenfeld <ben.rosenfeld@intel.com>
---
 src/p2p/p2p.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
index c54bb1e1c..16ffac433 100644
--- a/src/p2p/p2p.c
+++ b/src/p2p/p2p.c
@@ -5254,6 +5254,7 @@ int p2p_process_nfc_connection_handover(struct p2p_data *p2p,
 
 	if (!msg.oob_go_neg_channel) {
 		p2p_dbg(p2p, "OOB GO Negotiation Channel attribute not included");
+		p2p_parse_free(&msg);
 		return -1;
 	}
 
@@ -5265,6 +5266,7 @@ int p2p_process_nfc_connection_handover(struct p2p_data *p2p,
 					   msg.oob_go_neg_channel[4]);
 	if (freq < 0) {
 		p2p_dbg(p2p, "Unknown peer OOB GO Neg channel");
+		p2p_parse_free(&msg);
 		return -1;
 	}
 	role = msg.oob_go_neg_channel[5];
@@ -5285,6 +5287,7 @@ int p2p_process_nfc_connection_handover(struct p2p_data *p2p,
 					   p2p->cfg->channel);
 		if (freq < 0) {
 			p2p_dbg(p2p, "Own listen channel not known");
+			p2p_parse_free(&msg);
 			return -1;
 		}
 		p2p_dbg(p2p, "Use own Listen channel as OOB GO Neg channel: %u MHz", freq);