diff options
author | Patrick McHardy <kaber@trash.net> | 2007-07-18 02:04:09 -0700 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2007-07-18 02:04:09 -0700 |
commit | 7d4372b5ae2f891e8bfa96c98d450255f58b4dc1 (patch) | |
tree | bca14a197cdef0057e4008152649b43a42d0daba /drivers/net | |
parent | 99acaeb92fc2d52900f00b8e926d9ad81b6e93bb (diff) | |
download | kernel_samsung_aries-7d4372b5ae2f891e8bfa96c98d450255f58b4dc1.zip kernel_samsung_aries-7d4372b5ae2f891e8bfa96c98d450255f58b4dc1.tar.gz kernel_samsung_aries-7d4372b5ae2f891e8bfa96c98d450255f58b4dc1.tar.bz2 |
[PPPOL2TP]: Fix use-after-free
Don't use skb->len after passing it to ip_queue_xmit.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers/net')
-rw-r--r-- | drivers/net/pppol2tp.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/drivers/net/pppol2tp.c b/drivers/net/pppol2tp.c index 5891a0f..856610f 100644 --- a/drivers/net/pppol2tp.c +++ b/drivers/net/pppol2tp.c @@ -824,6 +824,7 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh struct pppol2tp_session *session; struct pppol2tp_tunnel *tunnel; struct udphdr *uh; + unsigned int len; error = -ENOTCONN; if (sock_flag(sk, SOCK_DEAD) || !(sk->sk_state & PPPOX_CONNECTED)) @@ -912,14 +913,15 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh } /* Queue the packet to IP for output */ + len = skb->len; error = ip_queue_xmit(skb, 1); /* Update stats */ if (error >= 0) { tunnel->stats.tx_packets++; - tunnel->stats.tx_bytes += skb->len; + tunnel->stats.tx_bytes += len; session->stats.tx_packets++; - session->stats.tx_bytes += skb->len; + session->stats.tx_bytes += len; } else { tunnel->stats.tx_errors++; session->stats.tx_errors++; @@ -958,6 +960,7 @@ static int pppol2tp_xmit(struct ppp_channel *chan, struct sk_buff *skb) __wsum csum = 0; struct sk_buff *skb2 = NULL; struct udphdr *uh; + unsigned int len; if (sock_flag(sk, SOCK_DEAD) || !(sk->sk_state & PPPOX_CONNECTED)) goto abort; @@ -1050,14 +1053,15 @@ static int pppol2tp_xmit(struct ppp_channel *chan, struct sk_buff *skb) skb2->dst = sk_dst_get(sk_tun); /* Queue the packet to IP for output */ + len = skb2->len; rc = ip_queue_xmit(skb2, 1); /* Update stats */ if (rc >= 0) { tunnel->stats.tx_packets++; - tunnel->stats.tx_bytes += skb2->len; + tunnel->stats.tx_bytes += len; session->stats.tx_packets++; - session->stats.tx_bytes += skb2->len; + session->stats.tx_bytes += len; } else { tunnel->stats.tx_errors++; session->stats.tx_errors++; |