diff options
| author | Phoebe Buckheister <phoebe.buckheister@itwm.fraunhofer.de> | 2014-03-17 13:30:19 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2014-03-18 15:59:25 -0400 |
| commit | 8cfad496c4257441710735ccef622f3829870164 (patch) | |
| tree | e5574aa1fac1cac858f94fffb571516bc35809dc /net/ieee802154/raw.c | |
| parent | 3c5dfeff932224d3c97cee9fd0d1e2876d700ad3 (diff) | |
ieee802154: properly unshare skbs in ieee802154 *_rcv functions
ieee802154 sockets do not properly unshare received skbs, which leads to
panics (at least) when they are used in conjunction with 6lowpan, so
run skb_share_check on received skbs.
6lowpan also contains a use-after-free, which is trivially fixed by
replacing the inlined skb_share_check with the explicit call.
Signed-off-by: Phoebe Buckheister <phoebe.buckheister@itwm.fraunhofer.de>
Tested-by: Alexander Aring <alex.aring@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ieee802154/raw.c')
| -rw-r--r-- | net/ieee802154/raw.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/net/ieee802154/raw.c b/net/ieee802154/raw.c index e5258cf6773b..74d54fae33d7 100644 --- a/net/ieee802154/raw.c +++ b/net/ieee802154/raw.c | |||
| @@ -213,6 +213,10 @@ out: | |||
| 213 | 213 | ||
| 214 | static int raw_rcv_skb(struct sock *sk, struct sk_buff *skb) | 214 | static int raw_rcv_skb(struct sock *sk, struct sk_buff *skb) |
| 215 | { | 215 | { |
| 216 | skb = skb_share_check(skb, GFP_ATOMIC); | ||
| 217 | if (!skb) | ||
| 218 | return NET_RX_DROP; | ||
| 219 | |||
| 216 | if (sock_queue_rcv_skb(sk, skb) < 0) { | 220 | if (sock_queue_rcv_skb(sk, skb) < 0) { |
| 217 | kfree_skb(skb); | 221 | kfree_skb(skb); |
| 218 | return NET_RX_DROP; | 222 | return NET_RX_DROP; |