summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Slaby <jslaby@suse.cz>2010-10-10 22:46:34 +0000
committerDavid S. Miller <davem@davemloft.net>2010-10-11 11:05:42 -0700
commit5518b29f225dbdf47ded02cf229ff8225a2cdf82 (patch)
tree63ff04e7b339623e41ba0d2d27b67bd4ae81bab3
parentf1ee89d5b007620353fb7dec1d34db4baa1a5571 (diff)
downloadkernel-common-5518b29f225dbdf47ded02cf229ff8225a2cdf82.tar.gz
kernel-common-5518b29f225dbdf47ded02cf229ff8225a2cdf82.tar.bz2
kernel-common-5518b29f225dbdf47ded02cf229ff8225a2cdf82.zip
ATM: mpc, fix use after free
Stanse found that mpc_push frees skb and then it dereferences it. It is a typo, new_skb should be dereferenced there. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Cc: Eric Dumazet <eric.dumazet@gmail.com> Acked-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/atm/mpc.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/atm/mpc.c b/net/atm/mpc.c
index 622b471e14e0..74bcc662c3dd 100644
--- a/net/atm/mpc.c
+++ b/net/atm/mpc.c
@@ -778,7 +778,7 @@ static void mpc_push(struct atm_vcc *vcc, struct sk_buff *skb)
eg->packets_rcvd++;
mpc->eg_ops->put(eg);
- memset(ATM_SKB(skb), 0, sizeof(struct atm_skb_data));
+ memset(ATM_SKB(new_skb), 0, sizeof(struct atm_skb_data));
netif_rx(new_skb);
}