[Patch] Use after free in net/tulip/de2104x.c

From: Eric Sesterhenn
Date: Wed Mar 22 2006 - 16:27:51 EST

Next message: Andrew Morton: "Re: [patch 16/24] s390: dasd extended error reporting."
Previous message: Andrew Morton: "Re: [patch 3/24] s390: channel path measurements."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

hi,

this fixes coverity bug #912, where skb is freed first,
and dereferenced a few lines later with skb->len.

Signed-off-by: Eric Sesterhenn <snakebyte@xxxxxx>

--- linux-2.6.16/drivers/net/tulip/de2104x.c.orig 2006-03-22 22:21:53.000000000 +0100
+++ linux-2.6.16/drivers/net/tulip/de2104x.c 2006-03-22 22:25:31.000000000 +0100
@@ -1332,11 +1332,11 @@ static void de_clean_rings (struct de_pr
struct sk_buff *skb = de->tx_skb[i].skb;
if ((skb) && (skb != DE_DUMMY_SKB)) {
if (skb != DE_SETUP_SKB) {
- dev_kfree_skb(skb);
de->net_stats.tx_dropped++;
pci_unmap_single(de->pdev,
de->tx_skb[i].mapping,
skb->len, PCI_DMA_TODEVICE);
+ dev_kfree_skb(skb);
} else {
pci_unmap_single(de->pdev,
de->tx_skb[i].mapping,

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andrew Morton: "Re: [patch 16/24] s390: dasd extended error reporting."
Previous message: Andrew Morton: "Re: [patch 3/24] s390: channel path measurements."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]