diff options
| author | Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com> | 2012-11-26 02:40:04 -0500 |
|---|---|---|
| committer | Samuel Ortiz <sameo@linux.intel.com> | 2012-11-28 12:42:04 -0500 |
| commit | 289814918ce3af1296ac7d9b05508bde64e97348 (patch) | |
| tree | 3f9177e30161d0ece3bb426c735d122fda71ee3c /net/nfc | |
| parent | 6bdd253f635f7b2ef027d116933a6c9ec148b87f (diff) | |
NFC: Fix incorrect llcp pointer dereference
nfc_llcp_ns(s) dereferences the s pointer which is freed a line
above. In a result, it can produce a crash or you will read
incorrect value.
Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Diffstat (limited to 'net/nfc')
| -rw-r--r-- | net/nfc/llcp/llcp.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/net/nfc/llcp/llcp.c b/net/nfc/llcp/llcp.c index 9e8f4b2801f6..3d63636120b1 100644 --- a/net/nfc/llcp/llcp.c +++ b/net/nfc/llcp/llcp.c | |||
| @@ -903,15 +903,18 @@ static void nfc_llcp_recv_hdlc(struct nfc_llcp_local *local, | |||
| 903 | /* Remove skbs from the pending queue */ | 903 | /* Remove skbs from the pending queue */ |
| 904 | if (llcp_sock->send_ack_n != nr) { | 904 | if (llcp_sock->send_ack_n != nr) { |
| 905 | struct sk_buff *s, *tmp; | 905 | struct sk_buff *s, *tmp; |
| 906 | u8 n; | ||
| 906 | 907 | ||
| 907 | llcp_sock->send_ack_n = nr; | 908 | llcp_sock->send_ack_n = nr; |
| 908 | 909 | ||
| 909 | /* Remove and free all skbs until ns == nr */ | 910 | /* Remove and free all skbs until ns == nr */ |
| 910 | skb_queue_walk_safe(&llcp_sock->tx_pending_queue, s, tmp) { | 911 | skb_queue_walk_safe(&llcp_sock->tx_pending_queue, s, tmp) { |
| 912 | n = nfc_llcp_ns(s); | ||
| 913 | |||
| 911 | skb_unlink(s, &llcp_sock->tx_pending_queue); | 914 | skb_unlink(s, &llcp_sock->tx_pending_queue); |
| 912 | kfree_skb(s); | 915 | kfree_skb(s); |
| 913 | 916 | ||
| 914 | if (nfc_llcp_ns(s) == nr) | 917 | if (n == nr) |
| 915 | break; | 918 | break; |
| 916 | } | 919 | } |
| 917 | 920 | ||