[ATM] CLIP: Do not refer freed skbuff in clip_mkip().
authorYOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Mon, 18 Sep 2006 13:37:58 +0000 (06:37 -0700)
committerDavid S. Miller <davem@davemloft.net>
Mon, 18 Sep 2006 13:37:58 +0000 (06:37 -0700)
In clip_mkip(), skb->dev is dereferenced after clip_push(),
which frees up skb.

Advisory: AD_LAB-06009 (<adlab@venustech.com.cn>).

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/atm/clip.c

index 7ce7bfe..7af2c41 100644 (file)
@@ -500,9 +500,11 @@ static int clip_mkip(struct atm_vcc *vcc, int timeout)
                } else {
                        unsigned int len = skb->len;
 
+                       skb_get(skb);
                        clip_push(vcc, skb);
                        PRIV(skb->dev)->stats.rx_packets--;
                        PRIV(skb->dev)->stats.rx_bytes -= len;
+                       kfree_skb(skb);
                }
        return 0;
 }