staging: rtl8192u: Fix use after free in ieee80211_rx()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

We cannot dereference the "skb" pointer after calling
ieee80211_monitor_rx(), because it is a use after free.

Fixes: 8fc8598e61f6 ("Staging: Added Realtek rtl8192u driver to staging")
Signed-off-by: Dan Carpenter <error27@gmail.com>
Link: https://lore.kernel.org/r/Y33BArx3k/aw6yv/@kili
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Dan Carpenter and committed by

Greg Kroah-Hartman 3 years ago bcc5e2dc 9dadff06

+3 -1

1 changed file

expand all

drivers

staging

rtl8192u

ieee80211

ieee80211_rx.c

+3 -1

drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c

··· 951 951 #endif 952 952 953 953 if (ieee->iw_mode == IW_MODE_MONITOR) { 954 + unsigned int len = skb->len; 955 + 954 956 ieee80211_monitor_rx(ieee, skb, rx_stats); 955 957 stats->rx_packets++; 956 - stats->rx_bytes += skb->len; 958 + stats->rx_bytes += len; 957 959 return 1; 958 960 } 959 961