* [Patch] Use after free in net/tulip/de2104x.c
@ 2006-03-22 21:30 Eric Sesterhenn
0 siblings, 0 replies; only message in thread
From: Eric Sesterhenn @ 2006-03-22 21:30 UTC (permalink / raw)
To: linux-kernel; +Cc: jgarzik
hi,
this fixes coverity bug #912, where skb is freed first,
and dereferenced a few lines later with skb->len.
Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de>
--- linux-2.6.16/drivers/net/tulip/de2104x.c.orig 2006-03-22 22:21:53.000000000 +0100
+++ linux-2.6.16/drivers/net/tulip/de2104x.c 2006-03-22 22:25:31.000000000 +0100
@@ -1332,11 +1332,11 @@ static void de_clean_rings (struct de_pr
struct sk_buff *skb = de->tx_skb[i].skb;
if ((skb) && (skb != DE_DUMMY_SKB)) {
if (skb != DE_SETUP_SKB) {
- dev_kfree_skb(skb);
de->net_stats.tx_dropped++;
pci_unmap_single(de->pdev,
de->tx_skb[i].mapping,
skb->len, PCI_DMA_TODEVICE);
+ dev_kfree_skb(skb);
} else {
pci_unmap_single(de->pdev,
de->tx_skb[i].mapping,
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2006-03-22 21:30 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-03-22 21:30 [Patch] Use after free in net/tulip/de2104x.c Eric Sesterhenn
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox