dcb: use after free in dcb_flushapp()
Dan Carpenter [Tue, 4 Jan 2011 21:03:44 +0000 (21:03 +0000)]
The original code has a use after free bug because it's not using the
_safe() version of the list_for_each_entry() macro.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

net/dcb/dcbnl.c

index 4323bd4..d900ab9 100644 (file)
@@ -1643,9 +1643,10 @@ EXPORT_SYMBOL(dcb_setapp);
 static void dcb_flushapp(void)
 {
        struct dcb_app_type *app;
+       struct dcb_app_type *tmp;
 
        spin_lock(&dcb_lock);
-       list_for_each_entry(app, &dcb_app_list, list) {
+       list_for_each_entry_safe(app, tmp, &dcb_app_list, list) {
                list_del(&app->list);
                kfree(app);
        }