From: Jiri Slaby Date: Sun, 10 Oct 2010 22:46:34 +0000 (+0000) Subject: ATM: mpc, fix use after free X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=5518b29f225dbdf47ded02cf229ff8225a2cdf82;p=GitHub%2FLineageOS%2FG12%2Fandroid_kernel_amlogic_linux-4.9.git ATM: mpc, fix use after free Stanse found that mpc_push frees skb and then it dereferences it. It is a typo, new_skb should be dereferenced there. Signed-off-by: Jiri Slaby Cc: Eric Dumazet Acked-by: Eric Dumazet Signed-off-by: David S. Miller --- diff --git a/net/atm/mpc.c b/net/atm/mpc.c index 622b471e14e0..74bcc662c3dd 100644 --- a/net/atm/mpc.c +++ b/net/atm/mpc.c @@ -778,7 +778,7 @@ static void mpc_push(struct atm_vcc *vcc, struct sk_buff *skb) eg->packets_rcvd++; mpc->eg_ops->put(eg); - memset(ATM_SKB(skb), 0, sizeof(struct atm_skb_data)); + memset(ATM_SKB(new_skb), 0, sizeof(struct atm_skb_data)); netif_rx(new_skb); }