NFC: Fix incorrect llcp pointer dereference
authorWaldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Mon, 26 Nov 2012 07:40:04 +0000 (08:40 +0100)
committerSamuel Ortiz <sameo@linux.intel.com>
Wed, 28 Nov 2012 17:42:04 +0000 (18:42 +0100)
nfc_llcp_ns(s) dereferences the s pointer which is freed a line
above. In a result, it can produce a crash or you will read
incorrect value.

Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
net/nfc/llcp/llcp.c

index 9e8f4b2801f6099ebd5afcff20d2b5ef19e16589..3d63636120b1e5c01bcdfdfd241feeb681d04582 100644 (file)
@@ -903,15 +903,18 @@ static void nfc_llcp_recv_hdlc(struct nfc_llcp_local *local,
        /* Remove skbs from the pending queue */
        if (llcp_sock->send_ack_n != nr) {
                struct sk_buff *s, *tmp;
+               u8 n;
 
                llcp_sock->send_ack_n = nr;
 
                /* Remove and free all skbs until ns == nr */
                skb_queue_walk_safe(&llcp_sock->tx_pending_queue, s, tmp) {
+                       n = nfc_llcp_ns(s);
+
                        skb_unlink(s, &llcp_sock->tx_pending_queue);
                        kfree_skb(s);
 
-                       if (nfc_llcp_ns(s) == nr)
+                       if (n == nr)
                                break;
                }