firewire: net: fix use after free in fwnet_finish_incoming_packet()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The netif_rx() function frees the skb so we can't dereference it to
save the skb->len.

Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com>
Link: https://lore.kernel.org/r/tencent_3B3D24B66ED66A6BB73CC0E63C6A14E45109@qq.com
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>

authored by

Zhang Shurong and committed by

Takashi Sakamoto 2 years ago 3ff25675 06f45435

+4 -2

1 changed file

expand all

drivers

firewire

net.c

+4 -2

drivers/firewire/net.c

··· 479 479 struct sk_buff *skb, u16 source_node_id, 480 480 bool is_broadcast, u16 ether_type) 481 481 { 482 - int status; 482 + int status, len; 483 483 484 484 switch (ether_type) { 485 485 case ETH_P_ARP: ··· 533 533 } 534 534 skb->protocol = protocol; 535 535 } 536 + 537 + len = skb->len; 536 538 status = netif_rx(skb); 537 539 if (status == NET_RX_DROP) { 538 540 net->stats.rx_errors++; 539 541 net->stats.rx_dropped++; 540 542 } else { 541 543 net->stats.rx_packets++; 542 - net->stats.rx_bytes += skb->len; 544 + net->stats.rx_bytes += len; 543 545 } 544 546 545 547 return 0;