summaryrefslogtreecommitdiffstats
path: root/net/dcb
diff options
context:
space:
mode:
authorDan Carpenter <error27@gmail.com>2011-01-04 22:03:44 +0100
committerDavid S. Miller <davem@davemloft.net>2011-01-06 20:16:54 +0100
commit2a8fe003741aa90b6b9453e90af4bbb7bc42918c (patch)
tree44450d3e65a5f1447424335e64213a1001d21d0a /net/dcb
parentdcb: unlock on error in dcbnl_ieee_get() (diff)
downloadlinux-2a8fe003741aa90b6b9453e90af4bbb7bc42918c.tar.xz
linux-2a8fe003741aa90b6b9453e90af4bbb7bc42918c.zip
dcb: use after free in dcb_flushapp()
The original code has a use after free bug because it's not using the _safe() version of the list_for_each_entry() macro. Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/dcb')
-rw-r--r--net/dcb/dcbnl.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/net/dcb/dcbnl.c b/net/dcb/dcbnl.c
index 4323bd441f0f..d900ab99814a 100644
--- a/net/dcb/dcbnl.c
+++ b/net/dcb/dcbnl.c
@@ -1643,9 +1643,10 @@ EXPORT_SYMBOL(dcb_setapp);
static void dcb_flushapp(void)
{
struct dcb_app_type *app;
+ struct dcb_app_type *tmp;
spin_lock(&dcb_lock);
- list_for_each_entry(app, &dcb_app_list, list) {
+ list_for_each_entry_safe(app, tmp, &dcb_app_list, list) {
list_del(&app->list);
kfree(app);
}