diff options
author | Johannes Berg <johannes@sipsolutions.net> | 2008-05-07 19:43:59 -0400 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2008-05-12 21:22:19 -0400 |
commit | dbabad0c9c026dea3ba803cbd9d768cdffc68e32 (patch) | |
tree | 046b607c669724ab4bde3108eab4c79f467eb21d /drivers | |
parent | 6d6936e2ea82ebcbdd12d489b7b5ccf430de52f1 (diff) |
zd1211rw: fix potential use-after-free bug
zd_mac_tx_to_dev() could potentially free the skb, or hand it off
to mac80211 which might free it. Hence, this code needs to get the
usb pointer out of skb->cb before handing it off to that function.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/net/wireless/zd1211rw/zd_usb.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/drivers/net/wireless/zd1211rw/zd_usb.c b/drivers/net/wireless/zd1211rw/zd_usb.c index 5316074f39f0..12e24f04dddf 100644 --- a/drivers/net/wireless/zd1211rw/zd_usb.c +++ b/drivers/net/wireless/zd1211rw/zd_usb.c | |||
@@ -889,9 +889,13 @@ static void tx_urb_complete(struct urb *urb) | |||
889 | } | 889 | } |
890 | free_urb: | 890 | free_urb: |
891 | skb = (struct sk_buff *)urb->context; | 891 | skb = (struct sk_buff *)urb->context; |
892 | zd_mac_tx_to_dev(skb, urb->status); | 892 | /* |
893 | * grab 'usb' pointer before handing off the skb (since | ||
894 | * it might be freed by zd_mac_tx_to_dev or mac80211) | ||
895 | */ | ||
893 | cb = (struct zd_tx_skb_control_block *)skb->cb; | 896 | cb = (struct zd_tx_skb_control_block *)skb->cb; |
894 | usb = &zd_hw_mac(cb->hw)->chip.usb; | 897 | usb = &zd_hw_mac(cb->hw)->chip.usb; |
898 | zd_mac_tx_to_dev(skb, urb->status); | ||
895 | free_tx_urb(usb, urb); | 899 | free_tx_urb(usb, urb); |
896 | tx_dec_submitted_urbs(usb); | 900 | tx_dec_submitted_urbs(usb); |
897 | return; | 901 | return; |