summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJiri Slaby <jslaby@suse.cz>2010-10-11 00:46:34 +0200
committerDavid S. Miller <davem@davemloft.net>2010-10-11 20:05:42 +0200
commit5518b29f225dbdf47ded02cf229ff8225a2cdf82 (patch)
tree63ff04e7b339623e41ba0d2d27b67bd4ae81bab3
parentATM: solos-pci, remove use after free (diff)
downloadlinux-5518b29f225dbdf47ded02cf229ff8225a2cdf82.tar.xz
linux-5518b29f225dbdf47ded02cf229ff8225a2cdf82.zip
ATM: mpc, fix use after free
Stanse found that mpc_push frees skb and then it dereferences it. It is a typo, new_skb should be dereferenced there. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Cc: Eric Dumazet <eric.dumazet@gmail.com> Acked-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/atm/mpc.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/atm/mpc.c b/net/atm/mpc.c
index 622b471e14e0..74bcc662c3dd 100644
--- a/net/atm/mpc.c
+++ b/net/atm/mpc.c
@@ -778,7 +778,7 @@ static void mpc_push(struct atm_vcc *vcc, struct sk_buff *skb)
eg->packets_rcvd++;
mpc->eg_ops->put(eg);
- memset(ATM_SKB(skb), 0, sizeof(struct atm_skb_data));
+ memset(ATM_SKB(new_skb), 0, sizeof(struct atm_skb_data));
netif_rx(new_skb);
}