Commit 8dc22d2b642f8a6f14ef8878777a05311e5d1d7e
Committed by
David S. Miller
David S. Miller
1 parent
518d1c9679
Exists in
master
and in
7 other branches
[ROSE]: Fix dereference of skb pointer after free.
If rose_route_frame return success we'll dereference a stale pointer. Likely this is only going to result in bad statistics for the ROSE interface. This fixes coverity 946. Signed-off-by: Ralf Baechle <ralf@linux-mips.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Showing 1 changed file with 4 additions and 1 deletions Inline Diff
net/rose/rose_dev.c
| 1 | /* | 1 | /* |
| 2 | * This program is free software; you can redistribute it and/or modify | 2 | * This program is free software; you can redistribute it and/or modify |
| 3 | * it under the terms of the GNU General Public License as published by | 3 | * it under the terms of the GNU General Public License as published by |
| 4 | * the Free Software Foundation; either version 2 of the License, or | 4 | * the Free Software Foundation; either version 2 of the License, or |
| 5 | * (at your option) any later version. | 5 | * (at your option) any later version. |
| 6 | * | 6 | * |
| 7 | * Copyright (C) Jonathan Naylor G4KLX (g4klx@g4klx.demon.co.uk) | 7 | * Copyright (C) Jonathan Naylor G4KLX (g4klx@g4klx.demon.co.uk) |
| 8 | */ | 8 | */ |
| 9 | #include <linux/module.h> | 9 | #include <linux/module.h> |
| 10 | #include <linux/proc_fs.h> | 10 | #include <linux/proc_fs.h> |
| 11 | #include <linux/kernel.h> | 11 | #include <linux/kernel.h> |
| 12 | #include <linux/sched.h> | 12 | #include <linux/sched.h> |
| 13 | #include <linux/interrupt.h> | 13 | #include <linux/interrupt.h> |
| 14 | #include <linux/fs.h> | 14 | #include <linux/fs.h> |
| 15 | #include <linux/types.h> | 15 | #include <linux/types.h> |
| 16 | #include <linux/sysctl.h> | 16 | #include <linux/sysctl.h> |
| 17 | #include <linux/string.h> | 17 | #include <linux/string.h> |
| 18 | #include <linux/socket.h> | 18 | #include <linux/socket.h> |
| 19 | #include <linux/errno.h> | 19 | #include <linux/errno.h> |
| 20 | #include <linux/fcntl.h> | 20 | #include <linux/fcntl.h> |
| 21 | #include <linux/in.h> | 21 | #include <linux/in.h> |
| 22 | #include <linux/if_ether.h> | 22 | #include <linux/if_ether.h> |
| 23 | 23 | ||
| 24 | #include <asm/system.h> | 24 | #include <asm/system.h> |
| 25 | #include <asm/io.h> | 25 | #include <asm/io.h> |
| 26 | 26 | ||
| 27 | #include <linux/inet.h> | 27 | #include <linux/inet.h> |
| 28 | #include <linux/netdevice.h> | 28 | #include <linux/netdevice.h> |
| 29 | #include <linux/etherdevice.h> | 29 | #include <linux/etherdevice.h> |
| 30 | #include <linux/if_arp.h> | 30 | #include <linux/if_arp.h> |
| 31 | #include <linux/skbuff.h> | 31 | #include <linux/skbuff.h> |
| 32 | 32 | ||
| 33 | #include <net/ip.h> | 33 | #include <net/ip.h> |
| 34 | #include <net/arp.h> | 34 | #include <net/arp.h> |
| 35 | 35 | ||
| 36 | #include <net/ax25.h> | 36 | #include <net/ax25.h> |
| 37 | #include <net/rose.h> | 37 | #include <net/rose.h> |
| 38 | 38 | ||
| 39 | static int rose_header(struct sk_buff *skb, struct net_device *dev, unsigned short type, | 39 | static int rose_header(struct sk_buff *skb, struct net_device *dev, unsigned short type, |
| 40 | void *daddr, void *saddr, unsigned len) | 40 | void *daddr, void *saddr, unsigned len) |
| 41 | { | 41 | { |
| 42 | unsigned char *buff = skb_push(skb, ROSE_MIN_LEN + 2); | 42 | unsigned char *buff = skb_push(skb, ROSE_MIN_LEN + 2); |
| 43 | 43 | ||
| 44 | *buff++ = ROSE_GFI | ROSE_Q_BIT; | 44 | *buff++ = ROSE_GFI | ROSE_Q_BIT; |
| 45 | *buff++ = 0x00; | 45 | *buff++ = 0x00; |
| 46 | *buff++ = ROSE_DATA; | 46 | *buff++ = ROSE_DATA; |
| 47 | *buff++ = 0x7F; | 47 | *buff++ = 0x7F; |
| 48 | *buff++ = AX25_P_IP; | 48 | *buff++ = AX25_P_IP; |
| 49 | 49 | ||
| 50 | if (daddr != NULL) | 50 | if (daddr != NULL) |
| 51 | return 37; | 51 | return 37; |
| 52 | 52 | ||
| 53 | return -37; | 53 | return -37; |
| 54 | } | 54 | } |
| 55 | 55 | ||
| 56 | static int rose_rebuild_header(struct sk_buff *skb) | 56 | static int rose_rebuild_header(struct sk_buff *skb) |
| 57 | { | 57 | { |
| 58 | struct net_device *dev = skb->dev; | 58 | struct net_device *dev = skb->dev; |
| 59 | struct net_device_stats *stats = netdev_priv(dev); | 59 | struct net_device_stats *stats = netdev_priv(dev); |
| 60 | unsigned char *bp = (unsigned char *)skb->data; | 60 | unsigned char *bp = (unsigned char *)skb->data; |
| 61 | struct sk_buff *skbn; | 61 | struct sk_buff *skbn; |
| 62 | unsigned int len; | ||
| 62 | 63 | ||
| 63 | #ifdef CONFIG_INET | 64 | #ifdef CONFIG_INET |
| 64 | if (arp_find(bp + 7, skb)) { | 65 | if (arp_find(bp + 7, skb)) { |
| 65 | return 1; | 66 | return 1; |
| 66 | } | 67 | } |
| 67 | 68 | ||
| 68 | if ((skbn = skb_clone(skb, GFP_ATOMIC)) == NULL) { | 69 | if ((skbn = skb_clone(skb, GFP_ATOMIC)) == NULL) { |
| 69 | kfree_skb(skb); | 70 | kfree_skb(skb); |
| 70 | return 1; | 71 | return 1; |
| 71 | } | 72 | } |
| 72 | 73 | ||
| 73 | if (skb->sk != NULL) | 74 | if (skb->sk != NULL) |
| 74 | skb_set_owner_w(skbn, skb->sk); | 75 | skb_set_owner_w(skbn, skb->sk); |
| 75 | 76 | ||
| 76 | kfree_skb(skb); | 77 | kfree_skb(skb); |
| 77 | 78 | ||
| 79 | len = skbn->len; | ||
| 80 | |||
| 78 | if (!rose_route_frame(skbn, NULL)) { | 81 | if (!rose_route_frame(skbn, NULL)) { |
| 79 | kfree_skb(skbn); | 82 | kfree_skb(skbn); |
| 80 | stats->tx_errors++; | 83 | stats->tx_errors++; |
| 81 | return 1; | 84 | return 1; |
| 82 | } | 85 | } |
| 83 | 86 | ||
| 84 | stats->tx_packets++; | 87 | stats->tx_packets++; |
| 85 | stats->tx_bytes += skbn->len; | 88 | stats->tx_bytes += len; |
| 86 | #endif | 89 | #endif |
| 87 | return 1; | 90 | return 1; |
| 88 | } | 91 | } |
| 89 | 92 | ||
| 90 | static int rose_set_mac_address(struct net_device *dev, void *addr) | 93 | static int rose_set_mac_address(struct net_device *dev, void *addr) |
| 91 | { | 94 | { |
| 92 | struct sockaddr *sa = addr; | 95 | struct sockaddr *sa = addr; |
| 93 | 96 | ||
| 94 | rose_del_loopback_node((rose_address *)dev->dev_addr); | 97 | rose_del_loopback_node((rose_address *)dev->dev_addr); |
| 95 | 98 | ||
| 96 | memcpy(dev->dev_addr, sa->sa_data, dev->addr_len); | 99 | memcpy(dev->dev_addr, sa->sa_data, dev->addr_len); |
| 97 | 100 | ||
| 98 | rose_add_loopback_node((rose_address *)dev->dev_addr); | 101 | rose_add_loopback_node((rose_address *)dev->dev_addr); |
| 99 | 102 | ||
| 100 | return 0; | 103 | return 0; |
| 101 | } | 104 | } |
| 102 | 105 | ||
| 103 | static int rose_open(struct net_device *dev) | 106 | static int rose_open(struct net_device *dev) |
| 104 | { | 107 | { |
| 105 | netif_start_queue(dev); | 108 | netif_start_queue(dev); |
| 106 | rose_add_loopback_node((rose_address *)dev->dev_addr); | 109 | rose_add_loopback_node((rose_address *)dev->dev_addr); |
| 107 | return 0; | 110 | return 0; |
| 108 | } | 111 | } |
| 109 | 112 | ||
| 110 | static int rose_close(struct net_device *dev) | 113 | static int rose_close(struct net_device *dev) |
| 111 | { | 114 | { |
| 112 | netif_stop_queue(dev); | 115 | netif_stop_queue(dev); |
| 113 | rose_del_loopback_node((rose_address *)dev->dev_addr); | 116 | rose_del_loopback_node((rose_address *)dev->dev_addr); |
| 114 | return 0; | 117 | return 0; |
| 115 | } | 118 | } |
| 116 | 119 | ||
| 117 | static int rose_xmit(struct sk_buff *skb, struct net_device *dev) | 120 | static int rose_xmit(struct sk_buff *skb, struct net_device *dev) |
| 118 | { | 121 | { |
| 119 | struct net_device_stats *stats = netdev_priv(dev); | 122 | struct net_device_stats *stats = netdev_priv(dev); |
| 120 | 123 | ||
| 121 | if (!netif_running(dev)) { | 124 | if (!netif_running(dev)) { |
| 122 | printk(KERN_ERR "ROSE: rose_xmit - called when iface is down\n"); | 125 | printk(KERN_ERR "ROSE: rose_xmit - called when iface is down\n"); |
| 123 | return 1; | 126 | return 1; |
| 124 | } | 127 | } |
| 125 | dev_kfree_skb(skb); | 128 | dev_kfree_skb(skb); |
| 126 | stats->tx_errors++; | 129 | stats->tx_errors++; |
| 127 | return 0; | 130 | return 0; |
| 128 | } | 131 | } |
| 129 | 132 | ||
| 130 | static struct net_device_stats *rose_get_stats(struct net_device *dev) | 133 | static struct net_device_stats *rose_get_stats(struct net_device *dev) |
| 131 | { | 134 | { |
| 132 | return netdev_priv(dev); | 135 | return netdev_priv(dev); |
| 133 | } | 136 | } |
| 134 | 137 | ||
| 135 | void rose_setup(struct net_device *dev) | 138 | void rose_setup(struct net_device *dev) |
| 136 | { | 139 | { |
| 137 | dev->mtu = ROSE_MAX_PACKET_SIZE - 2; | 140 | dev->mtu = ROSE_MAX_PACKET_SIZE - 2; |
| 138 | dev->hard_start_xmit = rose_xmit; | 141 | dev->hard_start_xmit = rose_xmit; |
| 139 | dev->open = rose_open; | 142 | dev->open = rose_open; |
| 140 | dev->stop = rose_close; | 143 | dev->stop = rose_close; |
| 141 | 144 | ||
| 142 | dev->hard_header = rose_header; | 145 | dev->hard_header = rose_header; |
| 143 | dev->hard_header_len = AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + ROSE_MIN_LEN; | 146 | dev->hard_header_len = AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + ROSE_MIN_LEN; |
| 144 | dev->addr_len = ROSE_ADDR_LEN; | 147 | dev->addr_len = ROSE_ADDR_LEN; |
| 145 | dev->type = ARPHRD_ROSE; | 148 | dev->type = ARPHRD_ROSE; |
| 146 | dev->rebuild_header = rose_rebuild_header; | 149 | dev->rebuild_header = rose_rebuild_header; |
| 147 | dev->set_mac_address = rose_set_mac_address; | 150 | dev->set_mac_address = rose_set_mac_address; |
| 148 | 151 | ||
| 149 | /* New-style flags. */ | 152 | /* New-style flags. */ |
| 150 | dev->flags = IFF_NOARP; | 153 | dev->flags = IFF_NOARP; |
| 151 | dev->get_stats = rose_get_stats; | 154 | dev->get_stats = rose_get_stats; |
| 152 | } | 155 | } |
| 153 | 156 |