* Re: [2.6 patch] drivers/net/wireless/libertas/rx.c: fix use-after-free [not found] <464DD957.9040803@redhat.com> @ 2007-05-18 17:46 ` John W. Linville 2007-05-19 3:14 ` Eugene Teo 0 siblings, 1 reply; 4+ messages in thread From: John W. Linville @ 2007-05-18 17:46 UTC (permalink / raw) To: Eugene Teo; +Cc: linux-kernel, jeff, linux-wireless, Florin Malita First, please send all wireless patches to linux-wireless@vger.kernel.org, and be sure to CC me as well...thanks! On Sat, May 19, 2007 at 12:50:31AM +0800, Eugene Teo wrote: > libertas_upload_rx_packet() calls netif_rx() before returning, and it always return 0. > Also within libertas_upload_rx_packet(), it will initialize skb->protocol anyways. > > Spotted by the Coverity checker. A nearly identical patch was posted by Florin Malita <fmalita@gmail.com> to netdev (also the wrong list) on Wednesday evening. > done: > LEAVE(); > > - skb->protocol = __constant_htons(0x0019); /* ETH_P_80211_RAW */ > - Except for this part...is this intentional? John -- John W. Linville linville@tuxdriver.com ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [2.6 patch] drivers/net/wireless/libertas/rx.c: fix use-after-free 2007-05-18 17:46 ` [2.6 patch] drivers/net/wireless/libertas/rx.c: fix use-after-free John W. Linville @ 2007-05-19 3:14 ` Eugene Teo 2007-05-21 13:31 ` John W. Linville 0 siblings, 1 reply; 4+ messages in thread From: Eugene Teo @ 2007-05-19 3:14 UTC (permalink / raw) To: linux-wireless; +Cc: John W. Linville, linux-kernel, jeff, Florin Malita John W. Linville wrote: > First, please send all wireless patches to > linux-wireless@vger.kernel.org, and be sure to CC me as well...thanks! > > On Sat, May 19, 2007 at 12:50:31AM +0800, Eugene Teo wrote: >> libertas_upload_rx_packet() calls netif_rx() before returning, and it always return 0. >> Also within libertas_upload_rx_packet(), it will initialize skb->protocol anyways. >> >> Spotted by the Coverity checker. > > A nearly identical patch was posted by Florin Malita <fmalita@gmail.com> > to netdev (also the wrong list) on Wednesday evening. Nod. I wasn't subscribed to netdev list. >> done: >> LEAVE(); >> >> - skb->protocol = __constant_htons(0x0019); /* ETH_P_80211_RAW */ >> - > > Except for this part...is this intentional? skb could have been freed by then. And, in libertas_upload_rx_packet(), skb->protocol is initialized by eth_type_trans(skb, priv->wlan_dev.netdev). Eugene ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [2.6 patch] drivers/net/wireless/libertas/rx.c: fix use-after-free 2007-05-19 3:14 ` Eugene Teo @ 2007-05-21 13:31 ` John W. Linville 2007-05-21 14:30 ` Eugene Teo 0 siblings, 1 reply; 4+ messages in thread From: John W. Linville @ 2007-05-21 13:31 UTC (permalink / raw) To: Eugene Teo; +Cc: linux-wireless, linux-kernel, jeff, Florin Malita On Sat, May 19, 2007 at 11:14:10AM +0800, Eugene Teo wrote: > John W. Linville wrote: > >> done: > >> LEAVE(); > >> > >> - skb->protocol = __constant_htons(0x0019); /* ETH_P_80211_RAW */ > >> - > > > > Except for this part...is this intentional? > > skb could have been freed by then. And, in libertas_upload_rx_packet(), skb->protocol > is initialized by eth_type_trans(skb, priv->wlan_dev.netdev). OK, I see that. Looks like Florin has reposted his patch, still without this hunk. Would you like to submit a patch for this hunk? Thanks, John -- John W. Linville linville@tuxdriver.com ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [2.6 patch] drivers/net/wireless/libertas/rx.c: fix use-after-free 2007-05-21 13:31 ` John W. Linville @ 2007-05-21 14:30 ` Eugene Teo 0 siblings, 0 replies; 4+ messages in thread From: Eugene Teo @ 2007-05-21 14:30 UTC (permalink / raw) To: John W. Linville; +Cc: linux-wireless, linux-kernel, jeff, Florin Malita <quote sender="John W. Linville"> > On Sat, May 19, 2007 at 11:14:10AM +0800, Eugene Teo wrote: > > John W. Linville wrote: > > > >> done: > > >> LEAVE(); > > >> > > >> - skb->protocol = __constant_htons(0x0019); /* ETH_P_80211_RAW */ > > >> - > > > > > > Except for this part...is this intentional? > > > > skb could have been freed by then. And, in libertas_upload_rx_packet(), skb->protocol > > is initialized by eth_type_trans(skb, priv->wlan_dev.netdev). > > OK, I see that. Looks like Florin has reposted his patch, still > without this hunk. Would you like to submit a patch for this hunk? skb could have been freed by then. Also, in libertas_upload_rx_packet(), skb->protocol is initialized by eth_type_trans(). Cc: John W. Linville <linville@tuxdriver.com> Signed-off-by: Eugene Teo <eugeneteo@kernel.sg> --- diff -uprN -X 2.6.22-rc2/Documentation/dontdiff 2.6.22-rc2.default/drivers/net/wireless/libertas/rx.c 2.6.22-rc2/drivers/net/wireless/libertas/rx.c --- 2.6.22-rc2.default/drivers/net/wireless/libertas/rx.c 2007-05-21 22:07:50.000000000 +0800 +++ 2.6.22-rc2/drivers/net/wireless/libertas/rx.c 2007-05-21 22:08:44.000000000 +0800 @@ -453,7 +453,5 @@ static int process_rxed_802_11_packet(wl done: LEAVE(); - skb->protocol = __constant_htons(0x0019); /* ETH_P_80211_RAW */ - return (ret); } -- 1024D/58DF8823 print 47B9 90F6 AE4A 9C51 37E0 D6E1 EA84 C6A2 58DF 8823 main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); } ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2007-05-21 14:30 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <464DD957.9040803@redhat.com>
2007-05-18 17:46 ` [2.6 patch] drivers/net/wireless/libertas/rx.c: fix use-after-free John W. Linville
2007-05-19 3:14 ` Eugene Teo
2007-05-21 13:31 ` John W. Linville
2007-05-21 14:30 ` Eugene Teo
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).