ath11k: avoid use_after_free in ath11k_dp_rx_msdu_coalesce API
Accessing already stored first msdu data after the skb expand trigger use_after_free, since first msdu got deleted. so do the descriptor copy operation before the skb expand operation. Signed-off-by: Karthikeyan Periyasamy <periyasa@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
This commit is contained in:
parent
f425078b44
commit
30679ec409
|
@ -1376,6 +1376,11 @@ static int ath11k_dp_rx_msdu_coalesce(struct ath11k *ar,
|
|||
skb_put(first, DP_RX_BUFFER_SIZE);
|
||||
skb_pull(first, buf_first_hdr_len);
|
||||
|
||||
/* When an MSDU spread over multiple buffers attention, MSDU_END and
|
||||
* MPDU_END tlvs are valid only in the last buffer. Copy those tlvs.
|
||||
*/
|
||||
ath11k_dp_rx_desc_end_tlv_copy(rxcb->rx_desc, ldesc);
|
||||
|
||||
space_extra = msdu_len - (buf_first_len + skb_tailroom(first));
|
||||
if (space_extra > 0 &&
|
||||
(pskb_expand_head(first, 0, space_extra, GFP_ATOMIC) < 0)) {
|
||||
|
@ -1391,11 +1396,6 @@ static int ath11k_dp_rx_msdu_coalesce(struct ath11k *ar,
|
|||
return -ENOMEM;
|
||||
}
|
||||
|
||||
/* When an MSDU spread over multiple buffers attention, MSDU_END and
|
||||
* MPDU_END tlvs are valid only in the last buffer. Copy those tlvs.
|
||||
*/
|
||||
ath11k_dp_rx_desc_end_tlv_copy(rxcb->rx_desc, ldesc);
|
||||
|
||||
rem_len = msdu_len - buf_first_len;
|
||||
while ((skb = __skb_dequeue(msdu_list)) != NULL && rem_len > 0) {
|
||||
rxcb = ATH11K_SKB_RXCB(skb);
|
||||
|
|
Loading…
Reference in New Issue