[ROSE]: Fix dereference of skb pointer after free.

If rose_route_frame return success we'll dereference a stale pointer. Likely this is only going to result in bad statistics for the ROSE interface. This fixes coverity 946. Signed-off-by: Ralf Baechle <ralf@linux-mips.org> Signed-off-by: David S. Miller <davem@davemloft.net>

[ROSE]: Fix dereference of skb pointer after free.
If rose_route_frame return success we'll dereference a stale pointer. Likely this is only going to result in bad statistics for the ROSE interface. This fixes coverity 946. Signed-off-by: Ralf Baechle <ralf@linux-mips.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Ralf Baechle · David S. Miller
1 parent 518d1c9679
Showing 1 changed file with 4 additions and 1 deletions Side-by-side Diff
net/rose/rose_dev.c
@@ -59,6 +59,7 @@
 	struct net_device_stats *stats = netdev_priv(dev);
 	unsigned char *bp = (unsigned char *)skb->data;
 	struct sk_buff *skbn;
+	unsigned int len;
  
 #ifdef CONFIG_INET
 	if (arp_find(bp + 7, skb)) {
@@ -75,6 +76,8 @@
  
 	kfree_skb(skb);
  
+	len = skbn->len;
+
 	if (!rose_route_frame(skbn, NULL)) {
 		kfree_skb(skbn);
 		stats->tx_errors++;
@@ -82,7 +85,7 @@
 	}
  
 	stats->tx_packets++;
-	stats->tx_bytes += skbn->len;
+	stats->tx_bytes += len;
 #endif
 	return 1;
 }
...	...	@@ -59,6 +59,7 @@
59	59	struct net_device_stats *stats = netdev_priv(dev);
60	60	unsigned char bp = (unsigned char )skb->data;
61	61	struct sk_buff *skbn;
	62	+ unsigned int len;
62	63
63	64	#ifdef CONFIG_INET
64	65	if (arp_find(bp + 7, skb)) {
...	...	@@ -75,6 +76,8 @@
75	76
76	77	kfree_skb(skb);
77	78
	79	+ len = skbn->len;
	80	+
78	81	if (!rose_route_frame(skbn, NULL)) {
79	82	kfree_skb(skbn);
80	83	stats->tx_errors++;
...	...	@@ -82,7 +85,7 @@
82	85	}
83	86
84	87	stats->tx_packets++;
85		- stats->tx_bytes += skbn->len;
	88	+ stats->tx_bytes += len;
86	89	#endif
87	90	return 1;
88	91	}