aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHendrik Brueckner <brueckner@linux.vnet.ibm.com>2009-04-21 02:04:21 -0400
committerDavid S. Miller <davem@davemloft.net>2009-04-22 02:43:13 -0400
commit60d3705fcbfe7deca8e94bc7ddecd6f9f1a4647e (patch)
treeafd8b424d6a8367ebca081e103a035ca346f88f9
parentbbe188c8f16effd902d1ad391e06e41ce649b22e (diff)
af_iucv: fix oops in iucv_sock_recvmsg() for MSG_PEEK flag
If iucv_sock_recvmsg() is called with MSG_PEEK flag set, the skb is enqueued twice. If the socket is then closed, the pointer to the skb is freed twice. Remove the skb_queue_head() call for MSG_PEEK, because the skb_recv_datagram() function already handles MSG_PEEK (does not dequeue the skb). Signed-off-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com> Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/iucv/af_iucv.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
index 2941ee50393b..42b3be302c57 100644
--- a/net/iucv/af_iucv.c
+++ b/net/iucv/af_iucv.c
@@ -814,6 +814,8 @@ static int iucv_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
814 814
815 target = sock_rcvlowat(sk, flags & MSG_WAITALL, len); 815 target = sock_rcvlowat(sk, flags & MSG_WAITALL, len);
816 816
817 /* receive/dequeue next skb:
818 * the function understands MSG_PEEK and, thus, does not dequeue skb */
817 skb = skb_recv_datagram(sk, flags, noblock, &err); 819 skb = skb_recv_datagram(sk, flags, noblock, &err);
818 if (!skb) { 820 if (!skb) {
819 if (sk->sk_shutdown & RCV_SHUTDOWN) 821 if (sk->sk_shutdown & RCV_SHUTDOWN)
@@ -861,9 +863,7 @@ static int iucv_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
861 iucv_process_message_q(sk); 863 iucv_process_message_q(sk);
862 spin_unlock_bh(&iucv->message_q.lock); 864 spin_unlock_bh(&iucv->message_q.lock);
863 } 865 }
864 866 }
865 } else
866 skb_queue_head(&sk->sk_receive_queue, skb);
867 867
868done: 868done:
869 return err ? : copied; 869 return err ? : copied;