All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] packet: fix potential use after free
@ 2014-04-10  1:22 Eric Dumazet
  2014-04-10  8:19 ` Daniel Borkmann
  0 siblings, 1 reply; 5+ messages in thread
From: Eric Dumazet @ 2014-04-10  1:22 UTC (permalink / raw)
  To: David Miller; +Cc: netdev, Xi Wang

From: Eric Dumazet <edumazet@google.com>

As soon skb is queued into sk_receive_queue, it can be consumed,
so its racy to access skb->len.

Given that sk_data_ready() / sock_def_readable() don't really care, just
use 0 instead of skb->len

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Xi Wang <xii@google.com>
---
 net/packet/af_packet.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 72e0c71fb01d..373d557e22ee 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1848,7 +1848,8 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
 	skb->dropcount = atomic_read(&sk->sk_drops);
 	__skb_queue_tail(&sk->sk_receive_queue, skb);
 	spin_unlock(&sk->sk_receive_queue.lock);
-	sk->sk_data_ready(sk, skb->len);
+	/* Remember: we can not reference skb after this point */
+	sk->sk_data_ready(sk, 0);
 	return 0;
 
 drop_n_acct:

^ permalink raw reply related	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2014-04-11 23:37 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-04-10  1:22 [PATCH] packet: fix potential use after free Eric Dumazet
2014-04-10  8:19 ` Daniel Borkmann
2014-04-10 15:06   ` Eric Dumazet
2014-04-11 19:59     ` David Miller
2014-04-11 23:37       ` Daniel Borkmann

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.