netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [RFC: 2.6 patch] hostap_80211_rx(): fix a use-after-free
@ 2006-11-06 14:21 Adrian Bunk
  2006-11-06 18:46 ` Alexey Dobriyan
  0 siblings, 1 reply; 2+ messages in thread
From: Adrian Bunk @ 2006-11-06 14:21 UTC (permalink / raw)
  To: linville; +Cc: netdev, linux-kernel

This patch fixes a use-after-free for "skb" spotted by the Coverity 
checker.

Signed-off-by: Adrian Bunk <bunk@stusta.de>

--- linux-2.6/drivers/net/wireless/hostap/hostap_80211_rx.c.old	2006-11-06 14:51:36.000000000 +0100
+++ linux-2.6/drivers/net/wireless/hostap/hostap_80211_rx.c	2006-11-06 14:52:16.000000000 +0100
@@ -1004,10 +1004,10 @@ void hostap_80211_rx(struct net_device *
 			if (local->hostapd && local->apdev) {
 				/* Send IEEE 802.1X frames to the user
 				 * space daemon for processing */
-				prism2_rx_80211(local->apdev, skb, rx_stats,
-						PRISM2_RX_MGMT);
 				local->apdevstats.rx_packets++;
 				local->apdevstats.rx_bytes += skb->len;
+				prism2_rx_80211(local->apdev, skb, rx_stats,
+						PRISM2_RX_MGMT);
 				goto rx_exit;
 			}
 		} else if (!frame_authorized) {

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: [RFC: 2.6 patch] hostap_80211_rx(): fix a use-after-free
  2006-11-06 14:21 [RFC: 2.6 patch] hostap_80211_rx(): fix a use-after-free Adrian Bunk
@ 2006-11-06 18:46 ` Alexey Dobriyan
  0 siblings, 0 replies; 2+ messages in thread
From: Alexey Dobriyan @ 2006-11-06 18:46 UTC (permalink / raw)
  To: Adrian Bunk; +Cc: linville, netdev, linux-kernel

On Mon, Nov 06, 2006 at 03:21:48PM +0100, Adrian Bunk wrote:
> This patch fixes a use-after-free for "skb" spotted by the Coverity
> checker.

> --- linux-2.6/drivers/net/wireless/hostap/hostap_80211_rx.c.old
> +++ linux-2.6/drivers/net/wireless/hostap/hostap_80211_rx.c
> @@ -1004,10 +1004,10 @@ void hostap_80211_rx(struct net_device *
>  			if (local->hostapd && local->apdev) {
>  				/* Send IEEE 802.1X frames to the user
>  				 * space daemon for processing */
> -				prism2_rx_80211(local->apdev, skb, rx_stats,
> -						PRISM2_RX_MGMT);
>  				local->apdevstats.rx_packets++;
>  				local->apdevstats.rx_bytes += skb->len;
> +				prism2_rx_80211(local->apdev, skb, rx_stats,
> +						PRISM2_RX_MGMT);
>  				goto rx_exit;

Network drivers set rx_packets and rx_bytes after netif_rx. And last_rx,
too. The trick seems to be to use pkt_len variable.

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2006-11-06 18:46 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-11-06 14:21 [RFC: 2.6 patch] hostap_80211_rx(): fix a use-after-free Adrian Bunk
2006-11-06 18:46 ` Alexey Dobriyan

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).