diff options
author | Sabrina Dubroca <sd@queasysnail.net> | 2015-11-16 22:44:53 +0100 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2015-11-17 20:39:29 +0100 |
commit | a534dc529853c69e94994aa47c1d80a03ce2c11d (patch) | |
tree | 6e043089d86b6615264dfc22e07fc326b3a9ef13 | |
parent | ipvlan: fix leak in ipvlan_rcv_frame (diff) | |
download | linux-a534dc529853c69e94994aa47c1d80a03ce2c11d.tar.xz linux-a534dc529853c69e94994aa47c1d80a03ce2c11d.zip |
ipvlan: fix use after free of skb
ipvlan_handle_frame is a rx_handler, and when it returns a value other
than RX_HANDLER_CONSUMED (here, NET_RX_DROP aka RX_HANDLER_ANOTHER),
__netif_receive_skb_core expects that the skb still exists and will
process it further, but we just freed it.
Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | drivers/net/ipvlan/ipvlan_core.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c index a9148e46dad0..8c48bb2a94ea 100644 --- a/drivers/net/ipvlan/ipvlan_core.c +++ b/drivers/net/ipvlan/ipvlan_core.c @@ -653,5 +653,5 @@ rx_handler_result_t ipvlan_handle_frame(struct sk_buff **pskb) WARN_ONCE(true, "ipvlan_handle_frame() called for mode = [%hx]\n", port->mode); kfree_skb(skb); - return NET_RX_DROP; + return RX_HANDLER_CONSUMED; } |