lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:	Sat, 19 May 2007 00:50:31 +0800
From:	Eugene Teo <eteo@...hat.com>
To:	linux-kernel@...r.kernel.org
CC:	jeff@...zik.org
Subject: [2.6 patch] drivers/net/wireless/libertas/rx.c: fix use-after-free

libertas_upload_rx_packet() calls netif_rx() before returning, and it always return 0.
Also within libertas_upload_rx_packet(), it will initialize skb->protocol anyways.

Spotted by the Coverity checker.

Signed-off-by: Eugene Teo <eteo@...hat.com>

diff --git a/drivers/net/wireless/libertas/rx.c b/drivers/net/wireless/libertas/rx.c
index d17924f..1d8d5e4 100644
--- a/drivers/net/wireless/libertas/rx.c
+++ b/drivers/net/wireless/libertas/rx.c
@@ -269,15 +269,12 @@ int libertas_process_rxed_packet(wlan_private * priv, struct sk_buff *skb)
        wlan_compute_rssi(priv, p_rx_pd);

        lbs_pr_debug(1, "RX Data: size of actual packet = %d\n", skb->len);
-       if (libertas_upload_rx_packet(priv, skb)) {
-               lbs_pr_debug(1, "RX error: libertas_upload_rx_packet"
-                      " returns failure\n");
-               ret = -1;
-               goto done;
-       }
+
        priv->stats.rx_bytes += skb->len;
        priv->stats.rx_packets++;

+       libertas_upload_rx_packet(priv, skb);
+
        ret = 0;
 done:
        LEAVE();
@@ -439,21 +436,14 @@ static int process_rxed_802_11_packet(wlan_private * priv, struct
sk_buff *skb)

        lbs_pr_debug(1, "RX Data: size of actual packet = %d\n", skb->len);

-       if (libertas_upload_rx_packet(priv, skb)) {
-               lbs_pr_debug(1, "RX error: libertas_upload_rx_packet "
-                       "returns failure\n");
-               ret = -1;
-               goto done;
-       }
-
        priv->stats.rx_bytes += skb->len;
        priv->stats.rx_packets++;

+       libertas_upload_rx_packet(priv, skb);
+
        ret = 0;
 done:
        LEAVE();

-       skb->protocol = __constant_htons(0x0019);       /* ETH_P_80211_RAW */
-

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists