Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 3ff2567

Browse files
ZhangShurongtakaswie
ZhangShurong
authored and
takaswie
committed
firewire: net: fix use after free in fwnet_finish_incoming_packet()
The netif_rx() function frees the skb so we can't dereference it to save the skb->len. Signed-off-by: Zhang Shurong <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Takashi Sakamoto <[email protected]>
1 parent 06f4543 commit 3ff2567

File tree

1 file changed

+4
-2
lines changed

1 file changed

+4
-2
lines changed

drivers/firewire/net.c

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -479,7 +479,7 @@ static int fwnet_finish_incoming_packet(struct net_device *net,
479479
struct sk_buff *skb, u16 source_node_id,
480480
bool is_broadcast, u16 ether_type)
481481
{
482-
int status;
482+
int status, len;
483483

484484
switch (ether_type) {
485485
case ETH_P_ARP:
@@ -533,13 +533,15 @@ static int fwnet_finish_incoming_packet(struct net_device *net,
533533
}
534534
skb->protocol = protocol;
535535
}
536+
537+
len = skb->len;
536538
status = netif_rx(skb);
537539
if (status == NET_RX_DROP) {
538540
net->stats.rx_errors++;
539541
net->stats.rx_dropped++;
540542
} else {
541543
net->stats.rx_packets++;
542-
net->stats.rx_bytes += skb->len;
544+
net->stats.rx_bytes += len;
543545
}
544546

545547
return 0;

0 commit comments

Comments
 (0)