projects / openwrt / staging / blogic.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d7811e6)
[ATM] CLIP: Do not refer freed skbuff in clip_mkip().
authorYOSHIFUJI Hideaki <[email protected]>
Mon, 18 Sep 2006 13:37:58 +0000 (06:37 -0700)
committerDavid S. Miller <[email protected]>
Mon, 18 Sep 2006 13:37:58 +0000 (06:37 -0700)
In clip_mkip(), skb->dev is dereferenced after clip_push(),
which frees up skb.

Advisory: AD_LAB-06009 (<[email protected]>).

Signed-off-by: YOSHIFUJI Hideaki <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
net/atm/clip.c patch | blob | history

diff --git a/net/atm/clip.c b/net/atm/clip.c
index 7ce7bfe3fbad3a3908b5a551b3bc8ea37acd9c22..7af2c411da82031f1f62599b5050fe30296f0622 100644 (file)
--- a/net/atm/clip.c
+++ b/net/atm/clip.c
@@ -500,9 +500,11 @@ static int clip_mkip(struct atm_vcc *vcc, int timeout)
                } else {
                        unsigned int len = skb->len;
 
+                       skb_get(skb);
                        clip_push(vcc, skb);
                        PRIV(skb->dev)->stats.rx_packets--;
                        PRIV(skb->dev)->stats.rx_bytes -= len;
+                       kfree_skb(skb);
                }
        return 0;
 }
John Crispins staging tree