diff options
author | Arnaldo Carvalho de Melo <acme@redhat.com> | 2009-09-11 14:35:22 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2009-09-11 15:54:23 -0400 |
commit | ffcfb8db540ff879c2a85bf7e404954281443414 (patch) | |
tree | 9b0014cd056c4283e6df924a5fe28ab54542c1d3 /net/appletalk/aarp.c | |
parent | 8ba69ba6a324b13e1190fc31e41954d190fd4f1d (diff) |
Subject: [PATCH] appletalk: Fix skb leak when ipddp interface is not loaded
And also do a better job of returning proper NET_{RX,XMIT}_ values.
Based on a patch and suggestions by Mark Smith.
This fixes CVE-2009-2903
Reported-by: Mark Smith <lk-netdev@lk-netdev.nosense.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/appletalk/aarp.c')
-rw-r--r-- | net/appletalk/aarp.c | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/net/appletalk/aarp.c b/net/appletalk/aarp.c index 89f99d3beb60..9d4adfd22757 100644 --- a/net/appletalk/aarp.c +++ b/net/appletalk/aarp.c | |||
@@ -599,7 +599,7 @@ int aarp_send_ddp(struct net_device *dev, struct sk_buff *skb, | |||
599 | 599 | ||
600 | /* Non ELAP we cannot do. */ | 600 | /* Non ELAP we cannot do. */ |
601 | if (dev->type != ARPHRD_ETHER) | 601 | if (dev->type != ARPHRD_ETHER) |
602 | return -1; | 602 | goto free_it; |
603 | 603 | ||
604 | skb->dev = dev; | 604 | skb->dev = dev; |
605 | skb->protocol = htons(ETH_P_ATALK); | 605 | skb->protocol = htons(ETH_P_ATALK); |
@@ -634,7 +634,7 @@ int aarp_send_ddp(struct net_device *dev, struct sk_buff *skb, | |||
634 | if (!a) { | 634 | if (!a) { |
635 | /* Whoops slipped... good job it's an unreliable protocol 8) */ | 635 | /* Whoops slipped... good job it's an unreliable protocol 8) */ |
636 | write_unlock_bh(&aarp_lock); | 636 | write_unlock_bh(&aarp_lock); |
637 | return -1; | 637 | goto free_it; |
638 | } | 638 | } |
639 | 639 | ||
640 | /* Set up the queue */ | 640 | /* Set up the queue */ |
@@ -663,15 +663,21 @@ out_unlock: | |||
663 | write_unlock_bh(&aarp_lock); | 663 | write_unlock_bh(&aarp_lock); |
664 | 664 | ||
665 | /* Tell the ddp layer we have taken over for this frame. */ | 665 | /* Tell the ddp layer we have taken over for this frame. */ |
666 | return 0; | 666 | goto sent; |
667 | 667 | ||
668 | sendit: | 668 | sendit: |
669 | if (skb->sk) | 669 | if (skb->sk) |
670 | skb->priority = skb->sk->sk_priority; | 670 | skb->priority = skb->sk->sk_priority; |
671 | dev_queue_xmit(skb); | 671 | if (dev_queue_xmit(skb)) |
672 | goto drop; | ||
672 | sent: | 673 | sent: |
673 | return 1; | 674 | return NET_XMIT_SUCCESS; |
675 | free_it: | ||
676 | kfree_skb(skb); | ||
677 | drop: | ||
678 | return NET_XMIT_DROP; | ||
674 | } | 679 | } |
680 | EXPORT_SYMBOL(aarp_send_ddp); | ||
675 | 681 | ||
676 | /* | 682 | /* |
677 | * An entry in the aarp unresolved queue has become resolved. Send | 683 | * An entry in the aarp unresolved queue has become resolved. Send |