[PATCH] Use after free in net/tulip/de2104x.c
Eric Sesterhenn [Wed, 22 Mar 2006 21:30:34 +0000 (22:30 +0100)]
hi,

this fixes coverity bug #912, where skb is freed first,
and dereferenced a few lines later with skb->len.

Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de>
Signed-off-by: Jeff Garzik <jeff@garzik.org>

drivers/net/tulip/de2104x.c

index 6299e18..e3dd144 100644 (file)
@@ -1327,11 +1327,11 @@ static void de_clean_rings (struct de_private *de)
                struct sk_buff *skb = de->tx_skb[i].skb;
                if ((skb) && (skb != DE_DUMMY_SKB)) {
                        if (skb != DE_SETUP_SKB) {
-                               dev_kfree_skb(skb);
                                de->net_stats.tx_dropped++;
                                pci_unmap_single(de->pdev,
                                        de->tx_skb[i].mapping,
                                        skb->len, PCI_DMA_TODEVICE);
+                               dev_kfree_skb(skb);
                        } else {
                                pci_unmap_single(de->pdev,
                                        de->tx_skb[i].mapping,