ATM: mpc, fix use after free
Jiri Slaby [Sun, 10 Oct 2010 22:46:34 +0000 (22:46 +0000)]
Stanse found that mpc_push frees skb and then it dereferences it. It
is a typo, new_skb should be dereferenced there.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

net/atm/mpc.c

index 622b471..74bcc66 100644 (file)
@@ -778,7 +778,7 @@ static void mpc_push(struct atm_vcc *vcc, struct sk_buff *skb)
        eg->packets_rcvd++;
        mpc->eg_ops->put(eg);
 
-       memset(ATM_SKB(skb), 0, sizeof(struct atm_skb_data));
+       memset(ATM_SKB(new_skb), 0, sizeof(struct atm_skb_data));
        netif_rx(new_skb);
 }