[ROSE]: Fix dereference of skb pointer after free.

If rose_route_frame return success we'll dereference a stale pointer. Likely this is only going to result in bad statistics for the ROSE interface. This fixes coverity 946. Signed-off-by: Ralf Baechle <ralf@linux-mips.org> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Ralf Baechle <ralf@linux-mips.org> 2006-07-03 22:29:15 -0400
committer: David S. Miller <davem@davemloft.net> 2006-07-03 22:29:15 -0400
commit: 8dc22d2b642f8a6f14ef8878777a05311e5d1d7e (patch)
tree: fb6ec490d0318cf7c267668f6d06391b2033b2fb /net/rose
parent: 518d1c9679f644811adaa22d853f43a83fbdae84 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/net/rose/rose_dev.c b/net/rose/rose_dev.c
index 9d0bf2a1ea3f..7c279e2659ec 100644
--- a/net/rose/rose_dev.c
+++ b/net/rose/rose_dev.c
@@ -59,6 +59,7 @@ static int rose_rebuild_header(struct sk_buff *skb)
        struct net_device_stats *stats = netdev_priv(dev);
        unsigned char *bp = (unsigned char *)skb->data;
        struct sk_buff *skbn;
+        unsigned int len;
 #ifdef CONFIG_INET
        if (arp_find(bp + 7, skb)) {
@@ -75,6 +76,8 @@ static int rose_rebuild_header(struct sk_buff *skb)
        kfree_skb(skb);
+        len = skbn->len;
        if (!rose_route_frame(skbn, NULL)) {
                kfree_skb(skbn);
                stats->tx_errors++;
@@ -82,7 +85,7 @@ static int rose_rebuild_header(struct sk_buff *skb)
        }
        stats->tx_packets++;
-        stats->tx_bytes += skbn->len;
+        stats->tx_bytes += len;
 #endif
        return 1;
 }
author	Ralf Baechle <ralf@linux-mips.org>	2006-07-03 22:29:15 -0400
committer	David S. Miller <davem@davemloft.net>	2006-07-03 22:29:15 -0400
commit	8dc22d2b642f8a6f14ef8878777a05311e5d1d7e (patch)
tree	fb6ec490d0318cf7c267668f6d06391b2033b2fb /net/rose
parent	518d1c9679f644811adaa22d853f43a83fbdae84 (diff)