aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2006-03-12 23:34:27 -0500
committerDavid S. Miller <davem@sunset.davemloft.net>2006-03-12 23:39:38 -0500
commitcc9a06cd8d6fbb69b4d3c46760c132cfe312fb85 (patch)
treec6dce78c5e845d9cd4d5baab7c8b29306fa77541
parentf8dc01f543f28253abeef649987249210d8db3cc (diff)
[NETLINK]: Fix use-after-free in netlink_recvmsg
The skb given to netlink_cmsg_recv_pktinfo is already freed, move it up a few lines. Coverity #948 Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/netlink/af_netlink.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 6b9772d95872..59dc7d140600 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1194,6 +1194,9 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock,
1194 msg->msg_namelen = sizeof(*addr); 1194 msg->msg_namelen = sizeof(*addr);
1195 } 1195 }
1196 1196
1197 if (nlk->flags & NETLINK_RECV_PKTINFO)
1198 netlink_cmsg_recv_pktinfo(msg, skb);
1199
1197 if (NULL == siocb->scm) { 1200 if (NULL == siocb->scm) {
1198 memset(&scm, 0, sizeof(scm)); 1201 memset(&scm, 0, sizeof(scm));
1199 siocb->scm = &scm; 1202 siocb->scm = &scm;
@@ -1205,8 +1208,6 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock,
1205 netlink_dump(sk); 1208 netlink_dump(sk);
1206 1209
1207 scm_recv(sock, msg, siocb->scm, flags); 1210 scm_recv(sock, msg, siocb->scm, flags);
1208 if (nlk->flags & NETLINK_RECV_PKTINFO)
1209 netlink_cmsg_recv_pktinfo(msg, skb);
1210 1211
1211out: 1212out:
1212 netlink_rcv_wake(sk); 1213 netlink_rcv_wake(sk);