diff options
| author | Dan Carpenter <dan.carpenter@linaro.org> | 2025-03-14 13:10:57 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2025-03-28 21:59:53 +0100 |
| commit | 9566f6ee13b17a15d0a47667ad1b1893c539f730 (patch) | |
| tree | 6c2b507caa552c6f6af1bc56c0a0e53491cabf86 | |
| parent | a235ec29c94531aa4fbd2c1022442aac4c528fbe (diff) | |
| download | linux-9566f6ee13b17a15d0a47667ad1b1893c539f730.tar.gz linux-9566f6ee13b17a15d0a47667ad1b1893c539f730.tar.bz2 linux-9566f6ee13b17a15d0a47667ad1b1893c539f730.zip | |
net: atm: fix use after free in lec_send()
[ Upstream commit f3009d0d6ab78053117f8857b921a8237f4d17b3 ]
The ->send() operation frees skb so save the length before calling
->send() to avoid a use after free.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/c751531d-4af4-42fe-affe-6104b34b791d@stanley.mountain
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
| -rw-r--r-- | net/atm/lec.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/net/atm/lec.c b/net/atm/lec.c index 6257bf12e5a0..ac3cfc1ae510 100644 --- a/net/atm/lec.c +++ b/net/atm/lec.c @@ -181,6 +181,7 @@ static void lec_send(struct atm_vcc *vcc, struct sk_buff *skb) { struct net_device *dev = skb->dev; + unsigned int len = skb->len; ATM_SKB(skb)->vcc = vcc; atm_account_tx(vcc, skb); @@ -191,7 +192,7 @@ lec_send(struct atm_vcc *vcc, struct sk_buff *skb) } dev->stats.tx_packets++; - dev->stats.tx_bytes += skb->len; + dev->stats.tx_bytes += len; } static void lec_tx_timeout(struct net_device *dev, unsigned int txqueue) |