summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKrzysztof Mazur <krzysiek@podlesie.net>2012-11-10 23:33:19 +0100
committerDavid Woodhouse <David.Woodhouse@intel.com>2012-11-30 12:21:42 +0000
commit071d93931a75dc1f82f0baa9959613af81c5a032 (patch)
treea6a4a61cacc37fe189aa7676871c654f37ef244f
parent3ac108006fd7f20cb8fc8ea2287f1497bcda00a1 (diff)
downloadop-kernel-dev-071d93931a75dc1f82f0baa9959613af81c5a032.zip
op-kernel-dev-071d93931a75dc1f82f0baa9959613af81c5a032.tar.gz
pppoatm: drop frames to not-ready vcc
The vcc_destroy_socket() closes vcc before the protocol is detached from vcc by calling vcc->push() with NULL skb. This leaves some time window, where the protocol may call vcc->send() on closed vcc and crash. Now pppoatm_send(), like vcc_sendmsg(), checks for vcc flags that indicate that vcc is not ready. If the vcc is not ready we just drop frame. Queueing frames is much more complicated because we don't have callbacks that inform us about vcc flags changes. Signed-off-by: Krzysztof Mazur <krzysiek@podlesie.net> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
-rw-r--r--net/atm/pppoatm.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/net/atm/pppoatm.c b/net/atm/pppoatm.c
index c4a57bc..aeb726c 100644
--- a/net/atm/pppoatm.c
+++ b/net/atm/pppoatm.c
@@ -284,6 +284,13 @@ static int pppoatm_send(struct ppp_channel *chan, struct sk_buff *skb)
bh_lock_sock(sk_atm(vcc));
if (sock_owned_by_user(sk_atm(vcc)))
goto nospace;
+ if (test_bit(ATM_VF_RELEASED, &vcc->flags) ||
+ test_bit(ATM_VF_CLOSE, &vcc->flags) ||
+ !test_bit(ATM_VF_READY, &vcc->flags)) {
+ bh_unlock_sock(sk_atm(vcc));
+ kfree_skb(skb);
+ return DROP_PACKET;
+ }
switch (pvcc->encaps) { /* LLC encapsulation needed */
case e_llc:
OpenPOWER on IntegriCloud