[ovs-dev] [PATCH] vport-capwap: Fix use-after-free on error path.
Ben Pfaff
blp at nicira.com
Fri Oct 21 22:28:35 UTC 2011
I originally meant just to fix the use of kfree_skb() instead of
consume_skb() on the success path, but then I realized that the failure
path returned an skb that it had just freed.
Signed-off-by: Ben Pfaff <blp at nicira.com>
---
datapath/vport-capwap.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/datapath/vport-capwap.c b/datapath/vport-capwap.c
index 3fb4ffb..8d78b6d 100644
--- a/datapath/vport-capwap.c
+++ b/datapath/vport-capwap.c
@@ -507,13 +507,13 @@ static struct sk_buff *fragment(struct sk_buff *skb, const struct vport *vport,
remaining -= frag_size;
}
- goto out;
+ consume_skb(skb);
+ return result;
error:
tnl_free_linked_skbs(result);
-out:
kfree_skb(skb);
- return result;
+ return NULL;
}
/* All of the following functions relate to fragmentation reassembly. */
--
1.7.4.4
More information about the dev
mailing list