diff options
author | Patrick McHardy <kaber@trash.net> | 2007-05-03 06:27:01 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2007-05-03 06:27:01 -0400 |
commit | 188ccb5583b8f501e1d0f5ba4f056afa141694e7 (patch) | |
tree | 3df30fcc6e333048517e79a3ec3a49b98617f447 | |
parent | 3f660d66dfbc13ea4b61d3865851b348444c24b4 (diff) |
[NETLINK]: Fix use after free in netlink_recvmsg
When the user passes in MSG_TRUNC the skb is used after getting freed.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/netlink/af_netlink.c | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 7fc6b4da4f02..ac1ceadf4ed3 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c | |||
@@ -1246,16 +1246,14 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock, | |||
1246 | siocb->scm = &scm; | 1246 | siocb->scm = &scm; |
1247 | } | 1247 | } |
1248 | siocb->scm->creds = *NETLINK_CREDS(skb); | 1248 | siocb->scm->creds = *NETLINK_CREDS(skb); |
1249 | if (flags & MSG_TRUNC) | ||
1250 | copied = skb->len; | ||
1249 | skb_free_datagram(sk, skb); | 1251 | skb_free_datagram(sk, skb); |
1250 | 1252 | ||
1251 | if (nlk->cb && atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf / 2) | 1253 | if (nlk->cb && atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf / 2) |
1252 | netlink_dump(sk); | 1254 | netlink_dump(sk); |
1253 | 1255 | ||
1254 | scm_recv(sock, msg, siocb->scm, flags); | 1256 | scm_recv(sock, msg, siocb->scm, flags); |
1255 | |||
1256 | if (flags & MSG_TRUNC) | ||
1257 | copied = skb->len; | ||
1258 | |||
1259 | out: | 1257 | out: |
1260 | netlink_rcv_wake(sk); | 1258 | netlink_rcv_wake(sk); |
1261 | return err ? : copied; | 1259 | return err ? : copied; |