summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSabrina Dubroca <sd@queasysnail.net>2015-11-16 22:44:53 +0100
committerDavid S. Miller <davem@davemloft.net>2015-11-17 20:39:29 +0100
commita534dc529853c69e94994aa47c1d80a03ce2c11d (patch)
tree6e043089d86b6615264dfc22e07fc326b3a9ef13
parentipvlan: fix leak in ipvlan_rcv_frame (diff)
downloadlinux-a534dc529853c69e94994aa47c1d80a03ce2c11d.tar.xz
linux-a534dc529853c69e94994aa47c1d80a03ce2c11d.zip
ipvlan: fix use after free of skb
ipvlan_handle_frame is a rx_handler, and when it returns a value other than RX_HANDLER_CONSUMED (here, NET_RX_DROP aka RX_HANDLER_ANOTHER), __netif_receive_skb_core expects that the skb still exists and will process it further, but we just freed it. Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.") Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--drivers/net/ipvlan/ipvlan_core.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c
index a9148e46dad0..8c48bb2a94ea 100644
--- a/drivers/net/ipvlan/ipvlan_core.c
+++ b/drivers/net/ipvlan/ipvlan_core.c
@@ -653,5 +653,5 @@ rx_handler_result_t ipvlan_handle_frame(struct sk_buff **pskb)
WARN_ONCE(true, "ipvlan_handle_frame() called for mode = [%hx]\n",
port->mode);
kfree_skb(skb);
- return NET_RX_DROP;
+ return RX_HANDLER_CONSUMED;
}