diff options
| author | Erik Hugne <erik.hugne@ericsson.com> | 2015-09-18 04:46:31 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2015-09-21 01:31:20 -0400 |
| commit | 4e3ae00100945d39e1f83b7c0179a114ccf55759 (patch) | |
| tree | 0d911950c7ea216376f756cd1e4d33a7ce9ba449 /net/tipc | |
| parent | aab0c0e62ec4af224d1b6b40fca65055d403400b (diff) | |
tipc: reinitialize pointer after skb linearize
The msg pointer into header may change after skb linearization.
We must reinitialize it after calling skb_linearize to prevent
operating on a freed or invalid pointer.
Signed-off-by: Erik Hugne <erik.hugne@ericsson.com>
Reported-by: Tamás Végh <tamas.vegh@ericsson.com>
Acked-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/tipc')
| -rw-r--r-- | net/tipc/msg.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/net/tipc/msg.c b/net/tipc/msg.c index 562c926a51cc..c5ac436235e0 100644 --- a/net/tipc/msg.c +++ b/net/tipc/msg.c | |||
| @@ -539,6 +539,7 @@ bool tipc_msg_lookup_dest(struct net *net, struct sk_buff *skb, int *err) | |||
| 539 | *err = -TIPC_ERR_NO_NAME; | 539 | *err = -TIPC_ERR_NO_NAME; |
| 540 | if (skb_linearize(skb)) | 540 | if (skb_linearize(skb)) |
| 541 | return false; | 541 | return false; |
| 542 | msg = buf_msg(skb); | ||
| 542 | if (msg_reroute_cnt(msg)) | 543 | if (msg_reroute_cnt(msg)) |
| 543 | return false; | 544 | return false; |
| 544 | dnode = addr_domain(net, msg_lookup_scope(msg)); | 545 | dnode = addr_domain(net, msg_lookup_scope(msg)); |