From: Eric Sesterhenn <snakebyte@gmx.de>
To: linux-kernel@vger.kernel.org
Cc: jgarzik@pobox.com
Subject: [Patch] Use after free in net/tulip/de2104x.c
Date: Wed, 22 Mar 2006 22:30:34 +0100 [thread overview]
Message-ID: <1143063034.26499.2.camel@alice> (raw)
hi,
this fixes coverity bug #912, where skb is freed first,
and dereferenced a few lines later with skb->len.
Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de>
--- linux-2.6.16/drivers/net/tulip/de2104x.c.orig 2006-03-22 22:21:53.000000000 +0100
+++ linux-2.6.16/drivers/net/tulip/de2104x.c 2006-03-22 22:25:31.000000000 +0100
@@ -1332,11 +1332,11 @@ static void de_clean_rings (struct de_pr
struct sk_buff *skb = de->tx_skb[i].skb;
if ((skb) && (skb != DE_DUMMY_SKB)) {
if (skb != DE_SETUP_SKB) {
- dev_kfree_skb(skb);
de->net_stats.tx_dropped++;
pci_unmap_single(de->pdev,
de->tx_skb[i].mapping,
skb->len, PCI_DMA_TODEVICE);
+ dev_kfree_skb(skb);
} else {
pci_unmap_single(de->pdev,
de->tx_skb[i].mapping,
reply other threads:[~2006-03-22 21:30 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1143063034.26499.2.camel@alice \
--to=snakebyte@gmx.de \
--cc=jgarzik@pobox.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox