| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20221123081511.28684-1-yuehaibing@huawei.com>
Date: Wed, 23 Nov 2022 16:15:11 +0800
From: YueHaibing <yuehaibing@...wei.com>
To: <stefanr@...6.in-berlin.de>, <andriy.shevchenko@...ux.intel.com>
CC: <linux1394-devel@...ts.sourceforge.net>,
<linux-kernel@...r.kernel.org>, YueHaibing <yuehaibing@...wei.com>
Subject: [PATCH] firewire: Fix potential use-after-free in fwnet_finish_incoming_packet()
The skb is delivered to netif_rx() which may free it, after calling this,
dereferencing skb may trigger use-after-free.
Signed-off-by: YueHaibing <yuehaibing@...wei.com>
---
drivers/firewire/net.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/firewire/net.c b/drivers/firewire/net.c
index af22be84034b..9e19f942a545 100644
--- a/drivers/firewire/net.c
+++ b/drivers/firewire/net.c
@@ -479,7 +479,7 @@ static int fwnet_finish_incoming_packet(struct net_device *net,
struct sk_buff *skb, u16 source_node_id,
bool is_broadcast, u16 ether_type)
{
- int status;
+ int status, recv_len;
switch (ether_type) {
case ETH_P_ARP:
@@ -533,13 +533,14 @@ static int fwnet_finish_incoming_packet(struct net_device *net,
}
skb->protocol = protocol;
}
+ recv_len = skb->len;
status = netif_rx(skb);
if (status == NET_RX_DROP) {
net->stats.rx_errors++;
net->stats.rx_dropped++;
} else {
net->stats.rx_packets++;
- net->stats.rx_bytes += skb->len;
+ net->stats.rx_bytes += recv_len;
}
return 0;
--
2.17.1
Powered by blists - more mailing lists