tipc: reinitialize pointer after skb linearize

The msg pointer into header may change after skb linearization. We must reinitialize it after calling skb_linearize to prevent operating on a freed or invalid pointer. Signed-off-by: Erik Hugne <erik.hugne@ericsson.com> Reported-by: Tamás Végh <tamas.vegh@ericsson.com> Acked-by: Ying Xue <ying.xue@windriver.com> Signed-off-by: David S. Miller <davem@davemloft.net>

tipc: reinitialize pointer after skb linearize
The msg pointer into header may change after skb linearization. We must reinitialize it after calling skb_linearize to prevent operating on a freed or invalid pointer. Signed-off-by: Erik Hugne <erik.hugne@ericsson.com> Reported-by: Tamás Végh <tamas.vegh@ericsson.com> Acked-by: Ying Xue <ying.xue@windriver.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Erik Hugne · David S. Miller
1 parent aab0c0e62e
Showing 1 changed file with 1 additions and 0 deletions Side-by-side Diff
net/tipc/msg.c
@@ -539,6 +539,7 @@
 	*err = -TIPC_ERR_NO_NAME;
 	if (skb_linearize(skb))
 		return false;
+	msg = buf_msg(skb);
 	if (msg_reroute_cnt(msg))
 		return false;
 	dnode = addr_domain(net, msg_lookup_scope(msg));
...	...	@@ -539,6 +539,7 @@
539	539	*err = -TIPC_ERR_NO_NAME;
540	540	if (skb_linearize(skb))
541	541	return false;
	542	+ msg = buf_msg(skb);
542	543	if (msg_reroute_cnt(msg))
543	544	return false;
544	545	dnode = addr_domain(net, msg_lookup_scope(msg));