diff options
| author | Jon Maloy <jon.maloy@ericsson.com> | 2017-11-27 14:13:39 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2017-11-27 14:44:45 -0500 |
| commit | 2e724dca7749223204bbae21745c0e3fc932700a (patch) | |
| tree | 7580cc4e02d85681a4cc4e70669614d2e9d857e9 | |
| parent | 5b5971df3bc2775107ddad164018a8a8db633b81 (diff) | |
tipc: eliminate access after delete in group_filter_msg()
KASAN revealed another access after delete in group.c. This time
it found that we read the header of a received message after the
buffer has been released.
Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | net/tipc/group.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/tipc/group.c b/net/tipc/group.c index 12777cac638a..95fec2c057d6 100644 --- a/net/tipc/group.c +++ b/net/tipc/group.c | |||
| @@ -497,6 +497,7 @@ void tipc_group_filter_msg(struct tipc_group *grp, struct sk_buff_head *inputq, | |||
| 497 | while ((skb = skb_peek(defq))) { | 497 | while ((skb = skb_peek(defq))) { |
| 498 | hdr = buf_msg(skb); | 498 | hdr = buf_msg(skb); |
| 499 | mtyp = msg_type(hdr); | 499 | mtyp = msg_type(hdr); |
| 500 | blks = msg_blocks(hdr); | ||
| 500 | deliver = true; | 501 | deliver = true; |
| 501 | ack = false; | 502 | ack = false; |
| 502 | update = false; | 503 | update = false; |
| @@ -546,7 +547,6 @@ void tipc_group_filter_msg(struct tipc_group *grp, struct sk_buff_head *inputq, | |||
| 546 | if (!update) | 547 | if (!update) |
| 547 | continue; | 548 | continue; |
| 548 | 549 | ||
| 549 | blks = msg_blocks(hdr); | ||
| 550 | tipc_group_update_rcv_win(grp, blks, node, port, xmitq); | 550 | tipc_group_update_rcv_win(grp, blks, node, port, xmitq); |
| 551 | } | 551 | } |
| 552 | return; | 552 | return; |