| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20201022070739.GB2817762@mwanda>
Date: Thu, 22 Oct 2020 10:07:39 +0300
From: Dan Carpenter <dan.carpenter@...cle.com>
To: Karsten Keil <isdn@...ux-pingi.de>
Cc: Petr Mladek <pmladek@...e.com>,
Sergey Senozhatsky <sergey.senozhatsky@...il.com>,
Kefeng Wang <wangkefeng.wang@...wei.com>,
netdev@...r.kernel.org, kernel-janitors@...r.kernel.org
Subject: [PATCH net] mISDN: hfcpci: Fix a use after free in hfcmulti_tx()
This frees "*sp" before dereferencing it to get "len = (*sp)->len;".
Fixes: af69fb3a8ffa ("Add mISDN HFC multiport driver")
Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>
---
drivers/isdn/hardware/mISDN/hfcmulti.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/drivers/isdn/hardware/mISDN/hfcmulti.c b/drivers/isdn/hardware/mISDN/hfcmulti.c
index 7013a3f08429..ce6c160e0df4 100644
--- a/drivers/isdn/hardware/mISDN/hfcmulti.c
+++ b/drivers/isdn/hardware/mISDN/hfcmulti.c
@@ -2152,16 +2152,14 @@ hfcmulti_tx(struct hfc_multi *hc, int ch)
HFC_wait_nodebug(hc);
}
+ len = (*sp)->len;
dev_kfree_skb(*sp);
/* check for next frame */
- if (bch && get_next_bframe(bch)) {
- len = (*sp)->len;
+ if (bch && get_next_bframe(bch))
goto next_frame;
- }
- if (dch && get_next_dframe(dch)) {
- len = (*sp)->len;
+
+ if (dch && get_next_dframe(dch))
goto next_frame;
- }
/*
* now we have no more data, so in case of transparent,
--
2.28.0
Powered by blists - more mailing lists