OSDN Git Service
(root)
/
tomoyo
/
tomoyo-test1.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
3067bc6
)
net: hsr: Fix potential use-after-free
author
YueHaibing
<yuehaibing@huawei.com>
Fri, 25 Nov 2022 07:57:24 +0000
(15:57 +0800)
committer
Jakub Kicinski
<kuba@kernel.org>
Tue, 29 Nov 2022 02:09:00 +0000
(18:09 -0800)
The skb is delivered to netif_rx() which may free it, after calling this,
dereferencing skb may trigger use-after-free.
Fixes:
f421436a591d
("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Link:
https://lore.kernel.org/r/20221125075724.27912-1-yuehaibing@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
net/hsr/hsr_forward.c
patch
|
blob
|
history
diff --git
a/net/hsr/hsr_forward.c
b/net/hsr/hsr_forward.c
index
a50429a
..
56bb27d
100644
(file)
--- a/
net/hsr/hsr_forward.c
+++ b/
net/hsr/hsr_forward.c
@@
-351,17
+351,18
@@
static void hsr_deliver_master(struct sk_buff *skb, struct net_device *dev,
struct hsr_node *node_src)
{
bool was_multicast_frame;
- int res;
+ int res
, recv_len
;
was_multicast_frame = (skb->pkt_type == PACKET_MULTICAST);
hsr_addr_subst_source(node_src, skb);
skb_pull(skb, ETH_HLEN);
+ recv_len = skb->len;
res = netif_rx(skb);
if (res == NET_RX_DROP) {
dev->stats.rx_dropped++;
} else {
dev->stats.rx_packets++;
- dev->stats.rx_bytes +=
skb->
len;
+ dev->stats.rx_bytes +=
recv_
len;
if (was_multicast_frame)
dev->stats.multicast++;
}
OSDN Git Service
