projects / openwrt / staging / blogic.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3f660d6)
[NETLINK]: Fix use after free in netlink_recvmsg
authorPatrick McHardy <[email protected]>
Thu, 3 May 2007 10:27:01 +0000 (03:27 -0700)
committerDavid S. Miller <[email protected]>
Thu, 3 May 2007 10:27:01 +0000 (03:27 -0700)
When the user passes in MSG_TRUNC the skb is used after getting freed.

Signed-off-by: Patrick McHardy <[email protected]>
Signed-off-by: David Howells <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
net/netlink/af_netlink.c patch | blob | history

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 7fc6b4da4f0216394d170d2a229479da35988d9f..ac1ceadf4ed34b5289db8d50819ec1433dc1d589 100644 (file)
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1246,16 +1246,14 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock,
                siocb->scm = &scm;
        }
        siocb->scm->creds = *NETLINK_CREDS(skb);
+       if (flags & MSG_TRUNC)
+               copied = skb->len;
        skb_free_datagram(sk, skb);
 
        if (nlk->cb && atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf / 2)
                netlink_dump(sk);
 
        scm_recv(sock, msg, siocb->scm, flags);
-
-       if (flags & MSG_TRUNC)
-               copied = skb->len;
-
 out:
        netlink_rcv_wake(sk);
        return err ? : copied;
John Crispins staging tree