Commit fe26109a authored by YOSHIFUJI Hideaki's avatar YOSHIFUJI Hideaki Committed by David S. Miller

[ATM] CLIP: Do not refer freed skbuff in clip_mkip().

In clip_mkip(), skb->dev is dereferenced after clip_push(),
which frees up skb.

Advisory: AD_LAB-06009 (<adlab@venustech.com.cn>).
Signed-off-by: default avatarYOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent d7811e62
...@@ -500,9 +500,11 @@ static int clip_mkip(struct atm_vcc *vcc, int timeout) ...@@ -500,9 +500,11 @@ static int clip_mkip(struct atm_vcc *vcc, int timeout)
} else { } else {
unsigned int len = skb->len; unsigned int len = skb->len;
skb_get(skb);
clip_push(vcc, skb); clip_push(vcc, skb);
PRIV(skb->dev)->stats.rx_packets--; PRIV(skb->dev)->stats.rx_packets--;
PRIV(skb->dev)->stats.rx_bytes -= len; PRIV(skb->dev)->stats.rx_bytes -= len;
kfree_skb(skb);
} }
return 0; return 0;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment