projects / GitHub / LineageOS / G12 / android_kernel_amlogic_linux-4.9.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: aab0c0e)
tipc: reinitialize pointer after skb linearize
authorErik Hugne <erik.hugne@ericsson.com>
Fri, 18 Sep 2015 08:46:31 +0000 (10:46 +0200)
committerDavid S. Miller <davem@davemloft.net>
Mon, 21 Sep 2015 05:31:20 +0000 (22:31 -0700)
The msg pointer into header may change after skb linearization.
We must reinitialize it after calling skb_linearize to prevent
operating on a freed or invalid pointer.

Signed-off-by: Erik Hugne <erik.hugne@ericsson.com>
Reported-by: Tamás Végh <tamas.vegh@ericsson.com>
Acked-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/tipc/msg.c patch | blob | blame | history

diff --git a/net/tipc/msg.c b/net/tipc/msg.c
index 562c926a51cc7baa859115b6a0d444f73febf357..c5ac436235e0823c016123394fef6a0cf321092c 100644 (file)
--- a/net/tipc/msg.c
+++ b/net/tipc/msg.c
@@ -539,6 +539,7 @@ bool tipc_msg_lookup_dest(struct net *net, struct sk_buff *skb, int *err)
        *err = -TIPC_ERR_NO_NAME;
        if (skb_linearize(skb))
                return false;
+       msg = buf_msg(skb);
        if (msg_reroute_cnt(msg))
                return false;
        dnode = addr_domain(net, msg_lookup_scope(msg));