[patch -next] 6LoWPAN: double free in lowpan_fragment_xmit()

[patch -next] 6LoWPAN: double free in lowpan_fragment_xmit()

[Dan Carpenter]

dev_queue_xmit() consumes its own skb, so the call to dev_kfree_skb()
ieee802154/6lowpan.clowpan_fragment_xmits a double free.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/net/ieee802154/6lowpan.c b/net/ieee802154/6lowpan.c
index 602f318..e4ecc1e 100644
--- a/net/ieee802154/6lowpan.c
+++ b/net/ieee802154/6lowpan.c
@@ -980,9 +980,6 @@ lowpan_fragment_xmit(struct sk_buff *skb, u8 *head,
 
 	ret = dev_queue_xmit(frag);
 
-	if (ret < 0)
-		dev_kfree_skb(frag);
-
 	return ret;
 }
 

Re: [patch -next] 6LoWPAN: double free in lowpan_fragment_xmit()

[Dan Carpenter]

[-- Attachment #1: Type: text/plain, Size: 339 bytes --]

On Wed, Nov 16, 2011 at 11:21:38AM +0300, Dan Carpenter wrote:
> dev_queue_xmit() consumes its own skb, so the call to dev_kfree_skb()
> ieee802154/6lowpan.clowpan_fragment_xmits a double free.
  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Dur...  I messed up my commit message right before sending.  Will
resend.

regards,
dan carpenter



[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

[patch -next v2] 6LoWPAN: double free in lowpan_fragment_xmit()

[Dan Carpenter]

[-- Attachment #1: Type: text/plain, Size: 548 bytes --]

dev_queue_xmit() consumes its own skb, so the call to dev_kfree_skb()
in lowpan_fragment_xmit() is a double free.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2: fixed commit message.

diff --git a/net/ieee802154/6lowpan.c b/net/ieee802154/6lowpan.c
index 602f318..e4ecc1e 100644
--- a/net/ieee802154/6lowpan.c
+++ b/net/ieee802154/6lowpan.c
@@ -980,9 +980,6 @@ lowpan_fragment_xmit(struct sk_buff *skb, u8 *head,
 
 	ret = dev_queue_xmit(frag);
 
-	if (ret < 0)
-		dev_kfree_skb(frag);
-
 	return ret;
 }
 


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [patch -next v2] 6LoWPAN: double free in lowpan_fragment_xmit()

[Alexander Smirnov]

2011/11/16 Dan Carpenter <dan.carpenter@oracle.com>:
> dev_queue_xmit() consumes its own skb, so the call to dev_kfree_skb()
> in lowpan_fragment_xmit() is a double free.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> v2: fixed commit message.
>
> diff --git a/net/ieee802154/6lowpan.c b/net/ieee802154/6lowpan.c
> index 602f318..e4ecc1e 100644
> --- a/net/ieee802154/6lowpan.c
> +++ b/net/ieee802154/6lowpan.c
> @@ -980,9 +980,6 @@ lowpan_fragment_xmit(struct sk_buff *skb, u8 *head,
>
>        ret = dev_queue_xmit(frag);
>
> -       if (ret < 0)
> -               dev_kfree_skb(frag);
> -
>        return ret;
>  }
>
>
>

Acked-by: Alexander Smirnov <alex.bluesman.smirnov@gmail.com>

Re: [patch -next v2] 6LoWPAN: double free in lowpan_fragment_xmit()

[David Miller]

From: Alexander Smirnov <alex.bluesman.smirnov@gmail.com>
Date: Wed, 16 Nov 2011 11:42:07 +0300

> 2011/11/16 Dan Carpenter <dan.carpenter@oracle.com>:
>> dev_queue_xmit() consumes its own skb, so the call to dev_kfree_skb()
>> in lowpan_fragment_xmit() is a double free.
>>
>> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
 ...
> 
> Acked-by: Alexander Smirnov <alex.bluesman.smirnov@gmail.com>

Applied, thanks.