diff options
author | Ralf Baechle <ralf@linux-mips.org> | 2006-07-03 19:29:15 -0700 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2006-07-03 19:29:15 -0700 |
commit | 8dc22d2b642f8a6f14ef8878777a05311e5d1d7e (patch) | |
tree | fb6ec490d0318cf7c267668f6d06391b2033b2fb /net/rose/rose_dev.c | |
parent | 518d1c9679f644811adaa22d853f43a83fbdae84 (diff) | |
download | op-kernel-dev-8dc22d2b642f8a6f14ef8878777a05311e5d1d7e.zip op-kernel-dev-8dc22d2b642f8a6f14ef8878777a05311e5d1d7e.tar.gz |
[ROSE]: Fix dereference of skb pointer after free.
If rose_route_frame return success we'll dereference a stale pointer.
Likely this is only going to result in bad statistics for the ROSE
interface.
This fixes coverity 946.
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/rose/rose_dev.c')
-rw-r--r-- | net/rose/rose_dev.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/net/rose/rose_dev.c b/net/rose/rose_dev.c index 9d0bf2a..7c279e2 100644 --- a/net/rose/rose_dev.c +++ b/net/rose/rose_dev.c @@ -59,6 +59,7 @@ static int rose_rebuild_header(struct sk_buff *skb) struct net_device_stats *stats = netdev_priv(dev); unsigned char *bp = (unsigned char *)skb->data; struct sk_buff *skbn; + unsigned int len; #ifdef CONFIG_INET if (arp_find(bp + 7, skb)) { @@ -75,6 +76,8 @@ static int rose_rebuild_header(struct sk_buff *skb) kfree_skb(skb); + len = skbn->len; + if (!rose_route_frame(skbn, NULL)) { kfree_skb(skbn); stats->tx_errors++; @@ -82,7 +85,7 @@ static int rose_rebuild_header(struct sk_buff *skb) } stats->tx_packets++; - stats->tx_bytes += skbn->len; + stats->tx_bytes += len; #endif return 1; } |