pppoatm: drop frames to not-ready vcc
authorKrzysztof Mazur <krzysiek@podlesie.net>
Sat, 10 Nov 2012 22:33:19 +0000 (23:33 +0100)
committerDavid Woodhouse <David.Woodhouse@intel.com>
Fri, 30 Nov 2012 12:21:42 +0000 (12:21 +0000)
The vcc_destroy_socket() closes vcc before the protocol is detached
from vcc by calling vcc->push() with NULL skb. This leaves some time
window, where the protocol may call vcc->send() on closed vcc
and crash.

Now pppoatm_send(), like vcc_sendmsg(), checks for vcc flags that
indicate that vcc is not ready. If the vcc is not ready we just
drop frame. Queueing frames is much more complicated because we
don't have callbacks that inform us about vcc flags changes.

Signed-off-by: Krzysztof Mazur <krzysiek@podlesie.net>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
net/atm/pppoatm.c

index c4a57bca77bf6b171a57d25401a69227b73662a1..aeb726cffc8cf4cb3cfc41cca71068c8057c4198 100644 (file)
@@ -284,6 +284,13 @@ static int pppoatm_send(struct ppp_channel *chan, struct sk_buff *skb)
        bh_lock_sock(sk_atm(vcc));
        if (sock_owned_by_user(sk_atm(vcc)))
                goto nospace;
+       if (test_bit(ATM_VF_RELEASED, &vcc->flags) ||
+           test_bit(ATM_VF_CLOSE, &vcc->flags) ||
+           !test_bit(ATM_VF_READY, &vcc->flags)) {
+               bh_unlock_sock(sk_atm(vcc));
+               kfree_skb(skb);
+               return DROP_PACKET;
+       }
 
        switch (pvcc->encaps) {         /* LLC encapsulation needed */
        case e_llc: