diff options
author | Patrick McHardy <kaber@trash.net> | 2006-03-12 23:34:27 -0500 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2006-03-12 23:39:38 -0500 |
commit | cc9a06cd8d6fbb69b4d3c46760c132cfe312fb85 (patch) | |
tree | c6dce78c5e845d9cd4d5baab7c8b29306fa77541 /net/netlink | |
parent | f8dc01f543f28253abeef649987249210d8db3cc (diff) |
[NETLINK]: Fix use-after-free in netlink_recvmsg
The skb given to netlink_cmsg_recv_pktinfo is already freed, move it up
a few lines.
Coverity #948
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/netlink')
-rw-r--r-- | net/netlink/af_netlink.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 6b9772d95872..59dc7d140600 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c | |||
@@ -1194,6 +1194,9 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock, | |||
1194 | msg->msg_namelen = sizeof(*addr); | 1194 | msg->msg_namelen = sizeof(*addr); |
1195 | } | 1195 | } |
1196 | 1196 | ||
1197 | if (nlk->flags & NETLINK_RECV_PKTINFO) | ||
1198 | netlink_cmsg_recv_pktinfo(msg, skb); | ||
1199 | |||
1197 | if (NULL == siocb->scm) { | 1200 | if (NULL == siocb->scm) { |
1198 | memset(&scm, 0, sizeof(scm)); | 1201 | memset(&scm, 0, sizeof(scm)); |
1199 | siocb->scm = &scm; | 1202 | siocb->scm = &scm; |
@@ -1205,8 +1208,6 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock, | |||
1205 | netlink_dump(sk); | 1208 | netlink_dump(sk); |
1206 | 1209 | ||
1207 | scm_recv(sock, msg, siocb->scm, flags); | 1210 | scm_recv(sock, msg, siocb->scm, flags); |
1208 | if (nlk->flags & NETLINK_RECV_PKTINFO) | ||
1209 | netlink_cmsg_recv_pktinfo(msg, skb); | ||
1210 | 1211 | ||
1211 | out: | 1212 | out: |
1212 | netlink_rcv_wake(sk); | 1213 | netlink_rcv_wake(sk); |