aboutsummaryrefslogtreecommitdiffstats
path: root/net/appletalk/aarp.c
diff options
context:
space:
mode:
authorArnaldo Carvalho de Melo <acme@redhat.com>2009-09-11 14:35:22 -0400
committerDavid S. Miller <davem@davemloft.net>2009-09-11 15:54:23 -0400
commitffcfb8db540ff879c2a85bf7e404954281443414 (patch)
tree9b0014cd056c4283e6df924a5fe28ab54542c1d3 /net/appletalk/aarp.c
parent8ba69ba6a324b13e1190fc31e41954d190fd4f1d (diff)
Subject: [PATCH] appletalk: Fix skb leak when ipddp interface is not loaded
And also do a better job of returning proper NET_{RX,XMIT}_ values. Based on a patch and suggestions by Mark Smith. This fixes CVE-2009-2903 Reported-by: Mark Smith <lk-netdev@lk-netdev.nosense.org> Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/appletalk/aarp.c')
-rw-r--r--net/appletalk/aarp.c16
1 files changed, 11 insertions, 5 deletions
diff --git a/net/appletalk/aarp.c b/net/appletalk/aarp.c
index 89f99d3beb60..9d4adfd22757 100644
--- a/net/appletalk/aarp.c
+++ b/net/appletalk/aarp.c
@@ -599,7 +599,7 @@ int aarp_send_ddp(struct net_device *dev, struct sk_buff *skb,
599 599
600 /* Non ELAP we cannot do. */ 600 /* Non ELAP we cannot do. */
601 if (dev->type != ARPHRD_ETHER) 601 if (dev->type != ARPHRD_ETHER)
602 return -1; 602 goto free_it;
603 603
604 skb->dev = dev; 604 skb->dev = dev;
605 skb->protocol = htons(ETH_P_ATALK); 605 skb->protocol = htons(ETH_P_ATALK);
@@ -634,7 +634,7 @@ int aarp_send_ddp(struct net_device *dev, struct sk_buff *skb,
634 if (!a) { 634 if (!a) {
635 /* Whoops slipped... good job it's an unreliable protocol 8) */ 635 /* Whoops slipped... good job it's an unreliable protocol 8) */
636 write_unlock_bh(&aarp_lock); 636 write_unlock_bh(&aarp_lock);
637 return -1; 637 goto free_it;
638 } 638 }
639 639
640 /* Set up the queue */ 640 /* Set up the queue */
@@ -663,15 +663,21 @@ out_unlock:
663 write_unlock_bh(&aarp_lock); 663 write_unlock_bh(&aarp_lock);
664 664
665 /* Tell the ddp layer we have taken over for this frame. */ 665 /* Tell the ddp layer we have taken over for this frame. */
666 return 0; 666 goto sent;
667 667
668sendit: 668sendit:
669 if (skb->sk) 669 if (skb->sk)
670 skb->priority = skb->sk->sk_priority; 670 skb->priority = skb->sk->sk_priority;
671 dev_queue_xmit(skb); 671 if (dev_queue_xmit(skb))
672 goto drop;
672sent: 673sent:
673 return 1; 674 return NET_XMIT_SUCCESS;
675free_it:
676 kfree_skb(skb);
677drop:
678 return NET_XMIT_DROP;
674} 679}
680EXPORT_SYMBOL(aarp_send_ddp);
675 681
676/* 682/*
677 * An entry in the aarp unresolved queue has become resolved. Send 683 * An entry in the aarp unresolved queue has become resolved. Send