* drivers/net/wireless/libertas/rx.c: use-after-free
@ 2007-06-29 19:51 Adrian Bunk
2007-06-30 20:02 ` Dan Williams
0 siblings, 1 reply; 3+ messages in thread
From: Adrian Bunk @ 2007-06-29 19:51 UTC (permalink / raw)
To: linville, Holger Schurig; +Cc: linux-wireless, linux-kernel
The Coverity checker spotted the following use-after-free of "skb" in
drivers/net/wireless/libertas/rx.c introduced by
commit 9012b28a407511fb355f6d2176a12d4653489672 (WTF did this commit
with the title "libertas: make debug configurable" add the
"skb->protocol = __constant_htons(0x0019);" line?):
<-- snip -->
...
static int process_rxed_802_11_packet(wlan_private * priv, struct sk_buff *skb)
{
...
libertas_upload_rx_packet(priv, skb);
ret = 0;
done:
skb->protocol = __constant_htons(0x0019); /* ETH_P_80211_RAW */
...
<-- snip -->
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: drivers/net/wireless/libertas/rx.c: use-after-free
2007-06-29 19:51 drivers/net/wireless/libertas/rx.c: use-after-free Adrian Bunk
@ 2007-06-30 20:02 ` Dan Williams
2007-07-02 8:50 ` Holger Schurig
0 siblings, 1 reply; 3+ messages in thread
From: Dan Williams @ 2007-06-30 20:02 UTC (permalink / raw)
To: Adrian Bunk; +Cc: linville, Holger Schurig, linux-wireless, linux-kernel
On Fri, 2007-06-29 at 21:51 +0200, Adrian Bunk wrote:
> The Coverity checker spotted the following use-after-free of "skb" in
> drivers/net/wireless/libertas/rx.c introduced by
> commit 9012b28a407511fb355f6d2176a12d4653489672 (WTF did this commit
> with the title "libertas: make debug configurable" add the
> "skb->protocol = __constant_htons(0x0019);" line?):
Holger, that's all you :)
dan
> <-- snip -->
>
> ...
> static int process_rxed_802_11_packet(wlan_private * priv, struct sk_buff *skb)
> {
> ...
> libertas_upload_rx_packet(priv, skb);
>
> ret = 0;
>
> done:
> skb->protocol = __constant_htons(0x0019); /* ETH_P_80211_RAW */
> ...
>
> <-- snip -->
>
>
> cu
> Adrian
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: drivers/net/wireless/libertas/rx.c: use-after-free
2007-06-30 20:02 ` Dan Williams
@ 2007-07-02 8:50 ` Holger Schurig
0 siblings, 0 replies; 3+ messages in thread
From: Holger Schurig @ 2007-07-02 8:50 UTC (permalink / raw)
To: linux-wireless
Cc: Dan Williams, Adrian Bunk, linville, linux-kernel, libertas-dev
libertas: remove a coverity bug
... by removing an ill-conceived, useless line.
Signed-off-by: Holger Schurig <hs4233@mail.mn-solutions.de>
---
Dunno how this line made it into the patch that I made in
February and was commited in May. At that time, I didn't hardly
knew anything about skb's at all and certainly didn't play with
raw ethernet types. Maybe it was a remnant of some bugus test
that I or the committer did?!?
I tested the driver after the removal of this line with ping and
ssh, but not anything else (e.g. no mesh, no tshark monitoring).
drivers/net/wireless/libertas/rx.c | 1 -
1 files changed, 0 insertions(+), 1 deletions(-)
diff --git a/drivers/net/wireless/libertas/rx.c b/drivers/net/wireless/libertas/rx.c
index 88d9d2d..769c86f 100644
--- a/drivers/net/wireless/libertas/rx.c
+++ b/drivers/net/wireless/libertas/rx.c
@@ -439,7 +439,6 @@ static int process_rxed_802_11_packet(wlan_private * priv, struct sk_buff *skb)
ret = 0;
done:
- skb->protocol = __constant_htons(0x0019); /* ETH_P_80211_RAW */
lbs_deb_leave_args(LBS_DEB_RX, "ret %d", ret);
return ret;
}
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2007-07-02 8:50 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-06-29 19:51 drivers/net/wireless/libertas/rx.c: use-after-free Adrian Bunk
2007-06-30 20:02 ` Dan Williams
2007-07-02 8:50 ` Holger Schurig
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).