Re: net/irda: use-after-free in ircomm_param_request

From: Cong Wang
Date: Tue Jan 26 2016 - 13:13:37 EST

Next message: Dave Penkler: "Re: [PATCH v6 4/5] Add ioctl to retrieve USBTMC-USB488 capabilities"
Previous message: primfinance: "Kredit?"
In reply to: Dmitry Vyukov: "net/irda: use-after-free in ircomm_param_request"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jan 25, 2016 at 7:59 AM, Dmitry Vyukov <dvyukov@xxxxxxxxxx> wrote:
> It seems that skb can be freed after skb_put() and spinlock unlock,
> but ircomm_param_request reads skb->len afterwards:
>
> int ircomm_param_request(struct ircomm_tty_cb *self, __u8 pi, int flush)
> {
> ...
> skb_put(skb, count);
> spin_unlock_irqrestore(&self->spinlock, flags);
> pr_debug("%s(), skb->len=%d\n", __func__ , skb->len);
>

This looks correct to me. We can either get rid of that debugging
print or move it under spinlock.

Next message: Dave Penkler: "Re: [PATCH v6 4/5] Add ioctl to retrieve USBTMC-USB488 capabilities"
Previous message: primfinance: "Kredit?"
In reply to: Dmitry Vyukov: "net/irda: use-after-free in ircomm_param_request"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]